Can we set file permissions based on file system groups or ACL for cloud native applications?

7/26/2019

Does the usage of filesystem access control lists is a good practice for cloud-native application design? Does native K8s storage types support it?

I would like to assign file permissions based on Linux file system groups. I want only specific users to have RWX access and others to be limited to Read. Does commonly used storage types support it or some don’t.

-- Kodar
amazon-web-services
azure-aks
azure-storage
google-cloud-platform
kubernetes

1 Answer

7/26/2019

Yes, permissions for specific users (UID) and groups (GID) can be set for volumes mounted in containers using three ways:

  1. Security Context - using security context, we can specify

    • User ID (UID) for runAsUser

    • Group ID (GID) for runAsGroup and fsGroup

    ...
    kind: Pod
    ...
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 3000
        fsGroup: 2000
      volumes:
      ...
      containers:
      ...
  2. Use chown and/or chmod in Init containers

    ...
    kind: Pod
    ...
    spec:
      initContainers:
      - name: set-data-dir-permission
        image: my_image
        command:
        - chown
        - -R
        - myuser:mygroup
        - /my_directory
        volumeMounts:
        - name: data
          mountPath: /my_directory
      containers:
      ...
    
  3. Using the readOnly, mode and accessModes fields for persistent volumes.

Kubernetes also supports assigning SELinux labels to a Container using the seLinuxOptions field in the securityContext section of the Pod manifest. The seLinuxOptions field is an SELinuxOptions object.

-- Vikram Hosakote
Source: StackOverflow