在kubernetes容器中安装卷时如何更改umask [英] How to change the umask when mounting volumes in kubernetes pods

问题描述

在SecurityContext中使用fsGroup允许在最终安装点上设置组"权限.因此，参考下面的示例(/mydata/storage/sample/one)，一"的权限将允许fsGroup ID写入访问.但是，没有任何父文件夹:"mydata"，"storage"，"sample"具有该fsGroup的任何权限.的所有者为root:root并具有755作为其权限.

Using fsGroup in a SecurityContext allows the "group" permissions on the final mounting point to be set. So referring to the example below (/mydata/storage/sample/one) the perms for "one" will allow the fsGroup ID write access. However, none of the parent folders: "mydata", "storage", "sample" will have any permissions for that fsGroup. The are owned by root:root and have 755 as their permissions.

如果正在运行的进程(runAsUser和runAsGroup)尝试在任何父路径中创建文件/文件夹，这将是一个巨大的问题

This is a huge problem if the running processes (runAsUser and runAsGroup) try to create files/folders in any of the parent paths

在将容器内的容器中的卷安装到容器时，不需要存在安装路径.它将被创建.但是，此路径中的此目录是使用某些umask创建的(我相信它是0022).

When mounting volumes inside pods to containers, the mountpath does not need to exist. And it will be created. However this directories in this path get created with certain umask (i believe it's 0022).

我已经在Dockerfile中设置了umask，但是没有任何区别.

I have set the umask in Dockerfile but it has not made any difference.

是否可以在部署yaml文件中更改它?

Is there a way to change that in the deployment yaml file?

示例(从Kubernetes文档复制)

Example (copied from Kubernetes docs)

$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: redis
  namespace: play
spec:
  containers:
  - name: redis
    image: redis
    volumeMounts:
    - name: redis-storage
      mountPath: /mydata/storage/sample/one
  volumes:
  - name: redis-storage
    emptyDir: {}

$ kubectl apply -f pod.yaml
pod/redis created



$ kubectl get pods -n play --watch
NAME    READY   STATUS    RESTARTS   AGE
redis   1/1     Running   0          67s


$ kubectl exec -it redis -n play bash
root@redis:/data# ls -l /
total 72
drwxr-xr-x   2 root  root  4096 Aug 12 00:00 bin
drwxr-xr-x   2 root  root  4096 May 13 20:25 boot
drwxr-xr-x   2 redis redis 4096 Aug 14 14:11 data
drwxr-xr-x   5 root  root   360 Aug 20 04:25 dev
drwxr-xr-x   1 root  root  4096 Aug 20 04:25 etc
drwxr-xr-x   2 root  root  4096 May 13 20:25 home
drwxr-xr-x   1 root  root  4096 Aug 14 14:11 lib
drwxr-xr-x   2 root  root  4096 Aug 12 00:00 lib64
drwxr-xr-x   2 root  root  4096 Aug 12 00:00 media
drwxr-xr-x   2 root  root  4096 Aug 12 00:00 mnt
drwxr-xr-x   3 root  root  4096 Aug 20 04:25 mydata
drwxr-xr-x   2 root  root  4096 Aug 12 00:00 opt
dr-xr-xr-x 743 root  root     0 Aug 20 04:25 proc
drwx------   1 root  root  4096 Aug 14 14:10 root
drwxr-xr-x   1 root  root  4096 Aug 20 04:25 run
drwxr-xr-x   2 root  root  4096 Aug 12 00:00 sbin
drwxr-xr-x   2 root  root  4096 Aug 12 00:00 srv
dr-xr-xr-x  13 root  root     0 Aug 19 21:55 sys
drwxrwxrwt   1 root  root  4096 Aug 14 14:11 tmp
drwxr-xr-x   1 root  root  4096 Aug 12 00:00 usr
drwxr-xr-x   1 root  root  4096 Aug 12 00:00 var
root@redis:/data# ls -l /mydata/
total 4
drwxr-xr-x 3 root root 4096 Aug 20 04:25 storage

推荐答案

我认为您需要在kubernetes中设置SecurityContext，例如文档中的示例:

I think you need to setup SecurityContext in kubernetes, Example from the Docs:

自由访问控制:访问对象的权限，例如 文件，基于用户ID(UID)和组ID(GID).

Discretionary Access Control: Permission to access an object, like a file, is based on user ID (UID) and group ID (GID).

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: busybox
    command: [ "sh", "-c", "sleep 1h" ]
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: false

继续阅读

这篇关于在kubernetes容器中安装卷时如何更改umask的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！