允许非root用户访问PersistentVolumeClaim [英] Allowing access to a PersistentVolumeClaim to non-root user

问题描述

在kubernetes中，我可以使用 PersistentVolumeClaim 来创建一些存储，以后可以将其安装在某些容器中.

In kubernetes I can use a PersistentVolumeClaim to create some storage, which I can later mount in some container.

但是，如果容器中的用户不是root用户，则该用户将无法访问该目录，因为该目录归root用户所有.

However if the user in the container is not root, that user will not be able to access that directory because it is owned by root.

访问这样一个卷的正确方法是什么? (在创建和安装该卷时，我都没有找到任何用户/权限选项.)

What is the right way to access such a volume? (I did not find any user/permission options both when creating and mounting that volume.)

推荐答案

首先，找出您的进程正在运行的UID号.

First, find out the UID number your process is running as.

然后您可以通过添加

Then you can tell Kubernetes to chown (sort of) the mount point of the volume for your pod by adding .spec.securityContext.fsGroup:

spec:
  ...
  securityContext:
    fsGroup: 2000

fsGroup:整数:一个特殊的补充组，适用于容器中的所有容器.某些卷类型允许Kubelet更改要由Pod拥有的该卷的所有权:1.拥有的GID将是FSGroup.2.将setgid位置1(在该卷中创建的新文件将由FSGroup拥有)3权限位与rw-rw ----进行或运算.如果未设置，则Kubelet不会修改任何卷的所有权和权限.

fsGroup: integer: A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume.

这篇关于允许非root用户访问PersistentVolumeClaim的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！