I'm able to create an NFS server using Docker, then mount it from an external computer on the network. My laptop for example.
Docker example:
docker run -itd --privileged \
--restart unless-stopped \
-e SHARED_DIRECTORY=/data \
-v /home/user/nfstest/data:/data \
-p 2049:2049 \
itsthenetwork/nfs-server-alpineI am to mount the above server onto a local machine using
sudo mount -v 192.168.60.80:/ nfsFrom my local laptop, I always get permission errors when trying to mount an NFS share that is hosted by Kubernetes. Can someone please explain why I may be getting permission errors not allowing me to mount the NFS share when creating the NFS server with Kubernetes?
As an example, I create my persistent volume:
piVersion: v1 [0/1864]
kind: PersistentVolume
metadata:
name: nfs-pv
spec:
capacity:
storage: 80Gi
accessModes:
- ReadWriteMany
storageClassName: local-nfs-storage
local:
path: "/home/rancher/nexus-data"
persistentVolumeReclaimPolicy: Retain
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- kubenode-02Then create the persistent volume claim:
apiVersion: v1 [0/1865]
kind: PersistentVolumeClaim
metadata:
name: nfs-pvc
spec:
storageClassName: local-nfs-storage
accessModes:
- ReadWriteMany
resources:
requests:
storage: 80GiLast, I create the NFS server deployment. I use the external IP service (externalIPs) so that I can connect to the pod from anywhere outside of my Kubernetes network. I can Nmap the ports from my laptop and see that they are open.
---
kind: Service
apiVersion: v1
metadata:
name: nfs-service
spec:
selector:
role: nfs
ports:
# Open the ports required by the NFS server
# Port 2049 for TCP
- name: tcp-2049
targetPort: 2049
port: 2049
protocol: TCP
# Port 111 for UDP
- name: udp-111
targetPort: 111
port: 111
protocol: UDP
# Use host network with external IP service
externalIPs:
- 192.168.60.42
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nfs-server
spec:
replicas: 1
selector:
matchLabels:
role: nfs
template:
metadata:
name: nfs-server
labels:
role: nfs
spec:
volumes:
- name: nfs-pv-storage
persistentVolumeClaim:
claimName: nfs-pvc
securityContext:
fsGroup: 1000
containers:
- name: nfs-server-container
image: itsthenetwork/nfs-server-alpine
securityContext:
privileged: true
env:
# Pass the path to share data
- name: SHARED_DIRECTORY
value: "/exports"
volumeMounts:
- mountPath: "/exports"
name: nfs-pv-storageI have tried playing with Pod Security policies such as fsGroup, runAsUser, and runAsGroup. I have played with different permissions for the local folder I am mounting the NFS share onto. I have also tried different options for /etc/exports within the NFS pod. No matter what, I get a permission denied when trying to mount the NFS share to a local computer.
I AM able to mount the Kubernetes NFS share from within a separate Kubernetes Pod.
Is there something I do not understand about how the Kubernetes network handles external traffic?