Does the usage of filesystem access control lists is a good practice for cloud-native application design? Does native K8s storage types support it?
I would like to assign file permissions based on Linux file system groups. I want only specific users to have RWX access and others to be limited to Read. Does commonly used storage types support it or some don’t.
Yes, permissions for specific users (UID
) and groups (GID
) can be set for volumes mounted in containers using three ways:
Security Context - using security context, we can specify
User ID (UID
) for runAsUser
Group ID (GID
) for runAsGroup
and fsGroup
...
kind: Pod
...
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
...
containers:
...
Use chown
and/or chmod
in Init containers
...
kind: Pod
...
spec:
initContainers:
- name: set-data-dir-permission
image: my_image
command:
- chown
- -R
- myuser:mygroup
- /my_directory
volumeMounts:
- name: data
mountPath: /my_directory
containers:
...
Using the readOnly
, mode
and accessModes
fields for persistent volumes.
Kubernetes also supports assigning SELinux labels to a Container using the seLinuxOptions
field in the securityContext
section of the Pod manifest. The seLinuxOptions
field is an SELinuxOptions
object.