Reputation: 3
Is there a way to restrict access to directories within a Kubernetes container?
If I have two groups that are not root users that will access a container's directory structure, is there a way to fine tune permissions such that Group 1 can have WRITE permissions on /DIR1, but Group 2 only has READ or even NO ACCESS permissions on /DIR1? Assuming that this /DIR1 is NOT A MOUNTED VOLUME?
Does the answer change if the directory IS a mounted volume?
I am unable to find an absolute answer online, but I think I might be touching on something called a security context, though I can't quite wrap my head around it, so I don't know if I am understanding it correctly as the examples always show a root, and a non-root user. But never two non-root users.
I have considered the following avenues:
- RoleBindings, but I am unable to find how I can limit or tweak something like the existing Read-Only role to point to specific directories? It seems to read K8 resources.
- I cannot completely remove all roles from Group 2 as they will have to access the pods at some point to troubleshoot. Maybe.
- I know you can chmod / chown in the dockerfile during image build, but.... not sure how this would tie into users that log in and a variety of groups that may need to access the same directory. Like what if Group 1 and Group 3 need access? Can you chown 2 groups? Does it even work like that?
Upvotes: -1
Views: 30
Answers (1)
Reputation: 16
In your Dockerfile, create groups/users and set strict permissions:
RUN groupadd group1 && groupadd group2 && \
useradd -g group1 user1 && useradd -g group2 user2 && \
mkdir /DIR1 && \
chown user1:group1 /DIR1 && \ # Owned by user1 and group1
chmod 770 /DIR1 # rwx for owner/group, no access for others
In the pod’s YAML, set the runtime identity:
securityContext:
runAsUser: 1000
runAsGroup: 1000
Use fsGroup to set volume group:
securityContext:
fsGroup: 1000
(if you want to) Use an initContainer to fix permissions:
initContainers:
- name: fix-permissions
image: busybox
command: ["sh", "-c", "chmod 770 /DIR1"]
volumeMounts:
- name: my-volume
mountPath: /DIR1
Upvotes: 0
Related Questions
- Kubernetes mounted EFS shows access denied when writing to it
- Kubernetes: how to set VolumeMount user group and file permissions
- files permssion ownership change in kubernetes volume attached to application container
- Docker in Docker cannot mount volume
- Is there a method to share a file across container with write & read access in kubernetes
- Kubernetes use the same volumeMount in initContainer and Container
- Kubernetes Permission denied in container
- Cannot mount volume as non-root using securityContext