Kubernetes Permission denied for mounted nfs volume

6/14/2018

The following is the k8s definition used:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nfs-pv-provisioning-demo
  labels:
    demo: nfs-pv-provisioning
spec:
  accessModes: [ "ReadWriteOnce" ]
  resources:
    requests:
      storage: 200Gi
---
apiVersion: v1
kind: ReplicationController
metadata:
  name: nfs-server
spec:
  securityContext:
    runAsUser: 1000
    fsGroup: 2000
  replicas: 1
  selector:
    role: nfs-server
  template:
    metadata:
      labels:
        role: nfs-server
    spec:
      containers:
      - name: nfs-server
        image: k8s.gcr.io/volume-nfs:0.8
        ports:
          - name: nfs
            containerPort: 2049
          - name: mountd
            containerPort: 20048
          - name: rpcbind
            containerPort: 111
        securityContext:
          privileged: true
        volumeMounts:
          - mountPath: /exports
            name: mypvc
      volumes:
        - name: mypvc
          persistentVolumeClaim:
            claimName: nfs-pv-provisioning-demo
---
kind: Service
apiVersion: v1
metadata:
  name: nfs-server
spec:
  ports:
    - name: nfs
      port: 2049
    - name: mountd
      port: 20048
    - name: rpcbind
      port: 111
  selector:
    role: nfs-server
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: nfs
spec:
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    # FIXME: use the right IP
    server: nfs-server
    path: "/"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nfs
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: ""
  resources:
    requests:
      storage: 1Gi
---
# This mounts the nfs volume claim into /mnt and continuously
# overwrites /mnt/index.html with the time and hostname of the pod.

apiVersion: v1
kind: ReplicationController
metadata:
  name: nfs-busybox
spec:
  securityContext:
    runAsUser: 1000
    fsGroup: 2000
  replicas: 2
  selector:
    name: nfs-busybox
  template:
    metadata:
      labels:
        name: nfs-busybox
    spec:
      containers:
      - image: busybox
        command:
          - sh
          - -c
          - 'while true; do date > /mnt/index.html; hostname >> /mnt/index.html; sleep $(($RANDOM % 5 + 5)); done'
        imagePullPolicy: IfNotPresent
        name: busybox
        volumeMounts:
          # name must match the volume name below
          - name: nfs
            mountPath: "/mnt"
      volumes:
      - name: nfs
        persistentVolumeClaim:
          claimName: nfs

Now /mnt directory in nfs-busybox should have 2000 as gid(as per docs). But it still have root and root as user and group. Since application is running with 1000/2000 its not able to create any logs or data in /mnt directory.

chmod might solve the issue, but it looks like work around. Is there any permenant solution for this?

Observations: If i replace nfs with some other PVC its working fine as told in docs.

-- lokanadham100
kubernetes
persistent-volume-claims
persistent-volumes

1 Answer

6/15/2018

Have you tried initContainers method? It fixes permissions on an exported directory:

initContainers:
    - name: volume-mount-hack
      image: busybox
      command: ["sh", "-c", "chmod -R 777 /exports"]
      volumeMounts:
      - name: nfs
        mountPath: /exports 

If you use a standalone NFS server on Linux box, I suggest using no_root_squash option:

/exports *(rw,no_root_squash,no_subtree_check)

To manage the directory permission on nfs-server, there is a need to change security context and raise it to privileged mode:

apiVersion: v1
kind: Pod
metadata:
  name: nfs-server
  labels:
    role: nfs-server
spec:
  containers:
    - name: nfs-server
      image: nfs-server
      ports:
        - name: nfs
          containerPort: 2049
      securityContext:
        privileged: true
-- d0bry
Source: StackOverflow