K
Q

Can we set file permissions based on file system groups or ACL for cloud native applications?

7/26/2019

Does the usage of filesystem access control lists is a good practice for cloud-native application design? Does native K8s storage types support it?

I would like to assign file permissions based on Linux file system groups. I want only specific users to have RWX access and others to be limited to Read. Does commonly used storage types support it or some don’t.

-- Kodar
amazon-web-services
azure-aks
azure-storage
google-cloud-platform
kubernetes

Similar Questions

How can I view pods with kubectl and filter based on having a status of ImagePullBackOff?
Tough One related to Kubernetes and SEtup
Keycloak on kubernetes and logging json layaout format with log4j2
May I use a normal load balancer to expose a Kubernetes Service?
Can a deployment be completed even when readiness probe is failing

1 Answer

7/26/2019

Yes, permissions for specific users (UID) and groups (GID) can be set for volumes mounted in containers using three ways:

  1. Security Context - using security context, we can specify

    • User ID (UID) for runAsUser

    • Group ID (GID) for runAsGroup and fsGroup

    ...
kind: Pod
...
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  volumes:
  ...
  containers:
  ...

  2. Use chown and/or chmod in Init containers

    ...
kind: Pod
...
spec:
  initContainers:
  - name: set-data-dir-permission
    image: my_image
    command:
    - chown
    - -R
    - myuser:mygroup
    - /my_directory
    volumeMounts:
    - name: data
      mountPath: /my_directory
  containers:
  ...

  3. Using the readOnly, mode and accessModes fields for persistent volumes.

Kubernetes also supports assigning SELinux labels to a Container using the seLinuxOptions field in the securityContext section of the Pod manifest. The seLinuxOptions field is an SELinuxOptions object.

-- Vikram Hosakote
Source: StackOverflow