Kubernetes NFS 持久卷权限被拒绝 [英] Kubernetes NFS persistent volumes permission denied
问题描述
我有一个应用程序在 Kubernetes 中的 POD 上运行.我想在持久存储卷上存储一些输出文件日志.
I have an application running over a POD in Kubernetes. I would like to store some output file logs on a persistent storage volume.
为了做到这一点,我在 NFS 上创建了一个卷,并通过相关的卷声明将其绑定到 POD.当我尝试写入或加入共享文件夹时,我收到一条权限被拒绝"消息,因为 NFS 显然是只读的.
In order to do that, I created a volume over the NFS and bound it to the POD through the related volume claim. When I try to write or accede the shared folder I got a "permission denied" message, since the NFS is apparently read-only.
以下是我用来创建卷的json文件:
The following is the json file I used to create the volume:
{
"kind": "PersistentVolume",
"apiVersion": "v1",
"metadata": {
"name": "task-pv-test"
},
"spec": {
"capacity": {
"storage": "10Gi"
},
"nfs": {
"server": <IPAddress>,
"path": "/export"
},
"accessModes": [
"ReadWriteMany"
],
"persistentVolumeReclaimPolicy": "Delete",
"storageClassName": "standard"
}
}
以下是POD配置文件
kind: Pod
apiVersion: v1
metadata:
name: volume-test
spec:
volumes:
- name: task-pv-test-storage
persistentVolumeClaim:
claimName: task-pv-test-claim
containers:
- name: volume-test
image: <ImageName>
volumeMounts:
- mountPath: /home
name: task-pv-test-storage
readOnly: false
有没有办法改变权限?
更新
这里是 PVC 和 NFS 配置:
Here are the PVC and NFS config:
PVC:
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: task-pv-test-claim
spec:
storageClassName: standard
accessModes:
- ReadWriteMany
resources:
requests:
storage: 3Gi
NFS 配置
{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "nfs-client-provisioner-557b575fbc-hkzfp",
"generateName": "nfs-client-provisioner-557b575fbc-",
"namespace": "default",
"selfLink": "/api/v1/namespaces/default/pods/nfs-client-provisioner-557b575fbc-hkzfp",
"uid": "918b1220-423a-11e8-8c62-8aaf7effe4a0",
"resourceVersion": "27228",
"creationTimestamp": "2018-04-17T12:26:35Z",
"labels": {
"app": "nfs-client-provisioner",
"pod-template-hash": "1136131967"
},
"ownerReferences": [
{
"apiVersion": "extensions/v1beta1",
"kind": "ReplicaSet",
"name": "nfs-client-provisioner-557b575fbc",
"uid": "3239b14a-4222-11e8-8c62-8aaf7effe4a0",
"controller": true,
"blockOwnerDeletion": true
}
]
},
"spec": {
"volumes": [
{
"name": "nfs-client-root",
"nfs": {
"server": <IPAddress>,
"path": "/Kubernetes"
}
},
{
"name": "nfs-client-provisioner-token-fdd2c",
"secret": {
"secretName": "nfs-client-provisioner-token-fdd2c",
"defaultMode": 420
}
}
],
"containers": [
{
"name": "nfs-client-provisioner",
"image": "quay.io/external_storage/nfs-client-provisioner:latest",
"env": [
{
"name": "PROVISIONER_NAME",
"value": "<IPAddress>/Kubernetes"
},
{
"name": "NFS_SERVER",
"value": <IPAddress>
},
{
"name": "NFS_PATH",
"value": "/Kubernetes"
}
],
"resources": {},
"volumeMounts": [
{
"name": "nfs-client-root",
"mountPath": "/persistentvolumes"
},
{
"name": "nfs-client-provisioner-token-fdd2c",
"readOnly": true,
"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"
}
],
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"imagePullPolicy": "Always"
}
],
"restartPolicy": "Always",
"terminationGracePeriodSeconds": 30,
"dnsPolicy": "ClusterFirst",
"serviceAccountName": "nfs-client-provisioner",
"serviceAccount": "nfs-client-provisioner",
"nodeName": "det-vkube-s02",
"securityContext": {},
"schedulerName": "default-scheduler",
"tolerations": [
{
"key": "node.kubernetes.io/not-ready",
"operator": "Exists",
"effect": "NoExecute",
"tolerationSeconds": 300
},
{
"key": "node.kubernetes.io/unreachable",
"operator": "Exists",
"effect": "NoExecute",
"tolerationSeconds": 300
}
]
},
"status": {
"phase": "Running",
"hostIP": <IPAddress>,
"podIP": "<IPAddress>,
"startTime": "2018-04-17T12:26:35Z",
"qosClass": "BestEffort"
}
}
我刚刚从 nfs 配置中删除了一些状态信息以使其更短
I have just removed some status information from the nfs config to make it shorter
推荐答案
如果您为 pod 配置设置了正确的securityContext,您可以确保以适当的权限挂载了该卷.
If you set the proper securityContext for the pod configuration you can make sure the volume is mounted with proper permissions.
示例:
apiVersion: v1
kind: Pod
metadata:
name: demo
spec:
securityContext:
fsGroup: 2000
volumes:
- name: task-pv-test-storage
persistentVolumeClaim:
claimName: task-pv-test-claim
containers:
- name: demo
image: example-image
volumeMounts:
- name: task-pv-test-storage
mountPath: /data/demo
在上面的示例中,存储将安装在 /data/demo 中,组 ID 为 2000,由 fsGroup 设置.通过设置 fsGroup 容器的所有进程也将成为补充组 ID 2000 的一部分,因此您应该可以访问挂载的文件.
In the above example the storage will be mounted at /data/demo with 2000 group id, which is set by fsGroup. By setting the fsGroup all processes of the container will also be part of the supplementary group ID 2000, thus you should have access to the mounted files.
您可以在此处阅读有关 pod 安全上下文的更多信息:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
You can read more about pod security context here: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
这篇关于Kubernetes NFS 持久卷权限被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
