在kubernetes容器中安装卷时如何更改umask [英] How to change the umask when mounting volumes in kubernetes pods
问题描述
在SecurityContext
中使用fsGroup
允许在最终安装点上设置组"权限.因此,参考下面的示例(/mydata/storage/sample/one),一"的权限将允许fsGroup ID写入访问.但是,没有任何父文件夹:"mydata","storage","sample"具有该fsGroup的任何权限.的所有者为root:root
并具有755
作为其权限.
Using fsGroup
in a SecurityContext
allows the "group" permissions on the final mounting point to be set. So referring to the example below (/mydata/storage/sample/one) the perms for "one" will allow the fsGroup ID write access. However, none of the parent folders: "mydata", "storage", "sample" will have any permissions for that fsGroup. The are owned by root:root
and have 755
as their permissions.
如果正在运行的进程(runAsUser
和runAsGroup
)尝试在任何父路径中创建文件/文件夹,这将是一个巨大的问题
This is a huge problem if the running processes (runAsUser
and runAsGroup
) try to create files/folders in any of the parent paths
在将容器内的容器中的卷安装到容器时,不需要存在安装路径.它将被创建.但是,此路径中的此目录是使用某些umask创建的(我相信它是0022).
When mounting volumes inside pods to containers, the mountpath does not need to exist. And it will be created. However this directories in this path get created with certain umask (i believe it's 0022).
我已经在Dockerfile中设置了umask,但是没有任何区别.
I have set the umask in Dockerfile but it has not made any difference.
是否可以在部署yaml文件中更改它?
Is there a way to change that in the deployment yaml file?
示例(从Kubernetes文档复制)
Example (copied from Kubernetes docs)
$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: redis
namespace: play
spec:
containers:
- name: redis
image: redis
volumeMounts:
- name: redis-storage
mountPath: /mydata/storage/sample/one
volumes:
- name: redis-storage
emptyDir: {}
$ kubectl apply -f pod.yaml
pod/redis created
$ kubectl get pods -n play --watch
NAME READY STATUS RESTARTS AGE
redis 1/1 Running 0 67s
$ kubectl exec -it redis -n play bash
root@redis:/data# ls -l /
total 72
drwxr-xr-x 2 root root 4096 Aug 12 00:00 bin
drwxr-xr-x 2 root root 4096 May 13 20:25 boot
drwxr-xr-x 2 redis redis 4096 Aug 14 14:11 data
drwxr-xr-x 5 root root 360 Aug 20 04:25 dev
drwxr-xr-x 1 root root 4096 Aug 20 04:25 etc
drwxr-xr-x 2 root root 4096 May 13 20:25 home
drwxr-xr-x 1 root root 4096 Aug 14 14:11 lib
drwxr-xr-x 2 root root 4096 Aug 12 00:00 lib64
drwxr-xr-x 2 root root 4096 Aug 12 00:00 media
drwxr-xr-x 2 root root 4096 Aug 12 00:00 mnt
drwxr-xr-x 3 root root 4096 Aug 20 04:25 mydata
drwxr-xr-x 2 root root 4096 Aug 12 00:00 opt
dr-xr-xr-x 743 root root 0 Aug 20 04:25 proc
drwx------ 1 root root 4096 Aug 14 14:10 root
drwxr-xr-x 1 root root 4096 Aug 20 04:25 run
drwxr-xr-x 2 root root 4096 Aug 12 00:00 sbin
drwxr-xr-x 2 root root 4096 Aug 12 00:00 srv
dr-xr-xr-x 13 root root 0 Aug 19 21:55 sys
drwxrwxrwt 1 root root 4096 Aug 14 14:11 tmp
drwxr-xr-x 1 root root 4096 Aug 12 00:00 usr
drwxr-xr-x 1 root root 4096 Aug 12 00:00 var
root@redis:/data# ls -l /mydata/
total 4
drwxr-xr-x 3 root root 4096 Aug 20 04:25 storage
推荐答案
我认为您需要在kubernetes中设置SecurityContext
,例如文档中的示例:
I think you need to setup SecurityContext
in kubernetes, Example from the Docs:
自由访问控制:访问对象的权限,例如 文件,基于用户ID(UID)和组ID(GID).
Discretionary Access Control: Permission to access an object, like a file, is based on user ID (UID) and group ID (GID).
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
继续阅读
这篇关于在kubernetes容器中安装卷时如何更改umask的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!