具有特定用户权限的Azure磁盘的永久卷声明

时间:2018-11-23 11:50:10

标签: kubernetes persistent-volumes azure-aks persistent-volume-claims

我正在尝试创建动态Azure磁盘卷,以在具有特定权限要求的Pod中使用。

容器runs under the user id 472,所以我需要找到一种方法来(至少)对该用户具有rw权限来装入卷。

已定义以下StorageClass 

apiVersion: storage.k8s.io/v1
kind: StorageClass
provisioner: kubernetes.io/azure-disk
reclaimPolicy: Delete
volumeBindingMode: Immediate
metadata:
  name: foo-storage
mountOptions:
  - rw
parameters:
  cachingmode: None
  kind: Managed
  storageaccounttype: Standard_LRS

和这个PVC 

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: foo-storage
  namespace: foo
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: foo-storage
  resources:
    requests:
      storage: 1Gi

我可以在Pod中运行以下命令:

containers:
  - image: ubuntu
    name: foo
    imagePullPolicy: IfNotPresent
    command:
      - ls
      - -l
      - /var/lib/foo
    volumeMounts:
      - name: foo-persistent-storage
        mountPath: /var/lib/foo
volumes:
  - name: foo-persistent-storage
    persistentVolumeClaim:
      claimName: foo-storage

吊舱将正确安装并启动,但是会显示kubectl logs <the-pod> 

total 24
drwxr-xr-x 3 root root  4096 Nov 23 11:42 .
drwxr-xr-x 1 root root  4096 Nov 13 12:32 ..
drwx------ 2 root root 16384 Nov 23 11:42 lost+found

即当前目录被挂载为root所拥有,并且对所有其他用户为只读。

我尝试将mountOptions部分添加到StorageClass,但是无论我尝试什么(uid=472user=472等),启动时都会出现安装错误,例如< / p> 

mounting arguments: --description=Kubernetes transient mount for /var/lib/kubelet/plugins/kubernetes.io/azure-disk/mounts/m1019941199 --scope -- mount -t ext4 -o group=472,rw,user=472,defaults /dev/disk/azure/scsi1/lun0 /var/lib/kubelet/plugins/kubernetes.io/azure-disk/mounts/m1019941199
Output: Running scope as unit run-r7165038756bf43e49db934e8968cca8b.scope.
mount: wrong fs type, bad option, bad superblock on /dev/sdc,
       missing codepage or helper program, or other error

       In some cases useful info is found in syslog - try
       dmesg | tail or so.

我也尝试从man mount获取一些信息,但是我没有找到任何有效的方法。

如何配置此存储类,持久卷声明和卷挂载,以便运行容器进程的非root用户可以访问已挂载路径中的写入(并创建子目录)? < / p>

1 个答案:

答案 0 :(得分:0)

您需要像以下那样定义pod规范的securityContext,以便它与新的运行用户和组ID相匹配:

securityContext:
  runAsUser: 472
  fsGroup: 472

稳定的格拉法纳头盔图也以相同的方式进行。请参见“配置”下的securityContexthttps://github.com/helm/charts/tree/master/stable/grafana#configuration

相关问题
最新问题