Kubernetes NFS持久卷权限被拒绝 [英] Kubernetes NFS persistent volumes permission denied
问题描述
我有一个在Kubernetes中的POD上运行的应用程序. 我想将一些输出文件日志存储在持久存储卷上.
I have an application running over a POD in Kubernetes. I would like to store some output file logs on a persistent storage volume.
为此,我在NFS上创建了一个卷,并通过相关的卷声明将其绑定到POD. 当我尝试写入或访问共享文件夹时,由于NFS显然是只读的,因此我收到权限被拒绝"消息.
In order to do that, I created a volume over the NFS and bound it to the POD through the related volume claim. When I try to write or accede the shared folder I got a "permission denied" message, since the NFS is apparently read-only.
以下是我用来创建卷的json文件:
The following is the json file I used to create the volume:
{
"kind": "PersistentVolume",
"apiVersion": "v1",
"metadata": {
"name": "task-pv-test"
},
"spec": {
"capacity": {
"storage": "10Gi"
},
"nfs": {
"server": <IPAddress>,
"path": "/export"
},
"accessModes": [
"ReadWriteMany"
],
"persistentVolumeReclaimPolicy": "Delete",
"storageClassName": "standard"
}
}
以下是POD配置文件
kind: Pod
apiVersion: v1
metadata:
name: volume-test
spec:
volumes:
- name: task-pv-test-storage
persistentVolumeClaim:
claimName: task-pv-test-claim
containers:
- name: volume-test
image: <ImageName>
volumeMounts:
- mountPath: /home
name: task-pv-test-storage
readOnly: false
是否可以更改权限?
更新
这是PVC和NFS配置:
Here are the PVC and NFS config:
PVC:
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: task-pv-test-claim
spec:
storageClassName: standard
accessModes:
- ReadWriteMany
resources:
requests:
storage: 3Gi
NFS配置
{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "nfs-client-provisioner-557b575fbc-hkzfp",
"generateName": "nfs-client-provisioner-557b575fbc-",
"namespace": "default",
"selfLink": "/api/v1/namespaces/default/pods/nfs-client-provisioner-557b575fbc-hkzfp",
"uid": "918b1220-423a-11e8-8c62-8aaf7effe4a0",
"resourceVersion": "27228",
"creationTimestamp": "2018-04-17T12:26:35Z",
"labels": {
"app": "nfs-client-provisioner",
"pod-template-hash": "1136131967"
},
"ownerReferences": [
{
"apiVersion": "extensions/v1beta1",
"kind": "ReplicaSet",
"name": "nfs-client-provisioner-557b575fbc",
"uid": "3239b14a-4222-11e8-8c62-8aaf7effe4a0",
"controller": true,
"blockOwnerDeletion": true
}
]
},
"spec": {
"volumes": [
{
"name": "nfs-client-root",
"nfs": {
"server": <IPAddress>,
"path": "/Kubernetes"
}
},
{
"name": "nfs-client-provisioner-token-fdd2c",
"secret": {
"secretName": "nfs-client-provisioner-token-fdd2c",
"defaultMode": 420
}
}
],
"containers": [
{
"name": "nfs-client-provisioner",
"image": "quay.io/external_storage/nfs-client-provisioner:latest",
"env": [
{
"name": "PROVISIONER_NAME",
"value": "<IPAddress>/Kubernetes"
},
{
"name": "NFS_SERVER",
"value": <IPAddress>
},
{
"name": "NFS_PATH",
"value": "/Kubernetes"
}
],
"resources": {},
"volumeMounts": [
{
"name": "nfs-client-root",
"mountPath": "/persistentvolumes"
},
{
"name": "nfs-client-provisioner-token-fdd2c",
"readOnly": true,
"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"
}
],
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"imagePullPolicy": "Always"
}
],
"restartPolicy": "Always",
"terminationGracePeriodSeconds": 30,
"dnsPolicy": "ClusterFirst",
"serviceAccountName": "nfs-client-provisioner",
"serviceAccount": "nfs-client-provisioner",
"nodeName": "det-vkube-s02",
"securityContext": {},
"schedulerName": "default-scheduler",
"tolerations": [
{
"key": "node.kubernetes.io/not-ready",
"operator": "Exists",
"effect": "NoExecute",
"tolerationSeconds": 300
},
{
"key": "node.kubernetes.io/unreachable",
"operator": "Exists",
"effect": "NoExecute",
"tolerationSeconds": 300
}
]
},
"status": {
"phase": "Running",
"hostIP": <IPAddress>,
"podIP": "<IPAddress>,
"startTime": "2018-04-17T12:26:35Z",
"qosClass": "BestEffort"
}
}
我刚刚从nfs配置中删除了一些状态信息以使其更短
I have just removed some status information from the nfs config to make it shorter
推荐答案
如果为pod配置设置了正确的securityContext
,则可以确保已使用适当的权限安装了卷.
If you set the proper securityContext
for the pod configuration you can make sure the volume is mounted with proper permissions.
示例:
apiVersion: v1
kind: Pod
metadata:
name: demo
spec:
securityContext:
fsGroup: 2000
volumes:
- name: task-pv-test-storage
persistentVolumeClaim:
claimName: task-pv-test-claim
containers:
- name: demo
image: example-image
volumeMounts:
- name: task-pv-test-storage
mountPath: /data/demo
在上面的示例中,存储将安装在具有fsGroup
设置的2000组ID的/data/demo
上.您需要找出正在使用的用户的组ID.为此,运行容器并键入id
并查找gid
.
In the above example the storage will be mounted at /data/demo
with 2000 group id, which is set by fsGroup
. You need to find out the group id of the user you are using. For that run the container and type id
and look for gid
.
要运行容器并获取id
类型的结果,请执行以下操作:docker run --rm -it example-image id
To run the container and get the results of id
type: docker run --rm -it example-image id
您可以在此处阅读有关Pod安全上下文的更多信息: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
You can read more about pod security context here: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
这篇关于Kubernetes NFS持久卷权限被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!