K
Q

How to change the umask when mounting volumes in kubernetes pods

8/20/2019

Update

Using fsGroup in a SecurityContext allows the "group" permissions on the final mounting point to be set. So referring to the example below (/mydata/storage/sample/one) the perms for "one" will allow the fsGroup ID write access. However, none of the parent folders: "mydata", "storage", "sample" will have any permissions for that fsGroup. The are owned by root:root and have 755 as their permissions.

This is a huge problem if the running processes (runAsUser and runAsGroup) try to create files/folders in any of the parent paths

Original Post

When mounting volumes inside pods to containers, the mountpath does not need to exist. And it will be created. However this directories in this path get created with certain umask (i believe it's 0022).

I have set the umask in Dockerfile but it has not made any difference.

Is there a way to change that in the deployment yaml file?

Example (copied from Kubernetes docs)

$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: redis
  namespace: play
spec:
  containers:
  - name: redis
    image: redis
    volumeMounts:
    - name: redis-storage
      mountPath: /mydata/storage/sample/one
  volumes:
  - name: redis-storage
    emptyDir: {}

$ kubectl apply -f pod.yaml
pod/redis created



$ kubectl get pods -n play --watch
NAME    READY   STATUS    RESTARTS   AGE
redis   1/1     Running   0          67s


$ kubectl exec -it redis -n play bash
root@redis:/data# ls -l /
total 72
drwxr-xr-x   2 root  root  4096 Aug 12 00:00 bin
drwxr-xr-x   2 root  root  4096 May 13 20:25 boot
drwxr-xr-x   2 redis redis 4096 Aug 14 14:11 data
drwxr-xr-x   5 root  root   360 Aug 20 04:25 dev
drwxr-xr-x   1 root  root  4096 Aug 20 04:25 etc
drwxr-xr-x   2 root  root  4096 May 13 20:25 home
drwxr-xr-x   1 root  root  4096 Aug 14 14:11 lib
drwxr-xr-x   2 root  root  4096 Aug 12 00:00 lib64
drwxr-xr-x   2 root  root  4096 Aug 12 00:00 media
drwxr-xr-x   2 root  root  4096 Aug 12 00:00 mnt
drwxr-xr-x   3 root  root  4096 Aug 20 04:25 mydata
drwxr-xr-x   2 root  root  4096 Aug 12 00:00 opt
dr-xr-xr-x 743 root  root     0 Aug 20 04:25 proc
drwx------   1 root  root  4096 Aug 14 14:10 root
drwxr-xr-x   1 root  root  4096 Aug 20 04:25 run
drwxr-xr-x   2 root  root  4096 Aug 12 00:00 sbin
drwxr-xr-x   2 root  root  4096 Aug 12 00:00 srv
dr-xr-xr-x  13 root  root     0 Aug 19 21:55 sys
drwxrwxrwt   1 root  root  4096 Aug 14 14:11 tmp
drwxr-xr-x   1 root  root  4096 Aug 12 00:00 usr
drwxr-xr-x   1 root  root  4096 Aug 12 00:00 var
root@redis:/data# ls -l /mydata/
total 4
drwxr-xr-x 3 root root 4096 Aug 20 04:25 storage
-- Jeff Saremi
docker
kubernetes

Similar Questions

Docker - How the json-file Driver Works
Deploying adaptive multi-user Dask cluster on Kubernetes
How to Properly Update the Status of a Job
How to auto scale on Kubernetes (GKE) with a pod that runs one per node and uses all available resources?
Running and inspecting sanity of deployments on Kubernetes
kubernetes vpa for CronJob
replicaof directive not allowed in cluster mode
How to permanently stop alertmanager-operated service from using port 9093 on Kubernetes?
vault write command using shell script
elasticsearch on kubernetes giving me resource not found errors when running guide
error validating data in cronjob in kubernetes

1 Answer

8/20/2019

I think you need to setup SecurityContext in kubernetes, Example from the Docs:

Discretionary Access Control: Permission to access an object, like a file, is based on user ID (UID) and group ID (GID).

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: busybox
    command: [ "sh", "-c", "sleep 1h" ]
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: false

continue reading

-- LinPy
Source: StackOverflow