允许非 root 用户访问 PersistentVolumeClaim [英] Allowing access to a PersistentVolumeClaim to non-root user
问题描述
在 kubernetes 中,我可以使用 PersistentVolumeClaim 来创建一些存储,稍后我可以将其安装在某个容器中.
但是,如果容器中的用户不是 root,则该用户将无法访问该目录,因为它归 root 所有.
访问这样一个卷的正确方法是什么?(在创建和安装该卷时,我没有找到任何用户/权限选项.)
首先,找出您的进程正在运行的 UID 号.
然后您可以通过添加 .spec.securityContext.fsGroup:
规格:...安全上下文:fsGroup:2000<块引用>
fsGroup:整数:一个特殊的补充组,适用于一个 Pod 中的所有容器.某些卷类型允许 Kubelet 更改该卷的所有权以归 Pod 拥有: 1. 拥有 GID 将是 FSGroup 2. setgid 位已设置(在卷中创建的新文件将由 FSGroup 拥有) 3. 权限位与 rw-rw 进行 OR 运算---- 如果未设置,Kubelet 将不会修改任何卷的所有权和权限.
In kubernetes I can use a PersistentVolumeClaim to create some storage, which I can later mount in some container.
However if the user in the container is not root, that user will not be able to access that directory because it is owned by root.
What is the right way to access such a volume? (I did not find any user/permission options both when creating and mounting that volume.)
First, find out the UID number your process is running as.
Then you can tell Kubernetes to chown (sort of) the mount point of the volume for your pod by adding .spec.securityContext.fsGroup:
spec:
...
securityContext:
fsGroup: 2000
fsGroup: integer: A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume.
这篇关于允许非 root 用户访问 PersistentVolumeClaim的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
