Volume mount permissions

[Hari]

Hi Team,

I have mounted a volume in my rundeck pod. When the pod comes up, the volume permission are set to root:root but all other pod file permissions are in rundeck:root. I tried changing it using security context for a Pod (https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods). But still the mounted volume permissions are not getting changed. Is there any example that I can use if it was already documented? Please advice.

Thank you.

[Endrina Barrios]

Hi,

Thanks for reaching out! 

To better understand your issue, could you please provide more details on how you have configured the volume and security context? Specifically:

• How is the volume being mounted (PVC, hostPath)?
• Are you using a specific StorageClass that might affect permissions?
• Have you checked if the fsGroup setting in the security context has any effect?

Please make sure to remove or mask any sensitive or confidential information (such as passwords, IPs, or access credentials) before sharing the details.

Looking forward to your response!

Kind regards.

[Harikrishnan Gopalakrishnan]

Thanks for helping. Please find my response. Let me know if you need more information.

• How is the volume being mounted (PVC, hostPath)? - I am reading the info from a ConfigMap and mounting as volume mounts
• Are you using a specific StorageClass that might affect permissions? - No
• Have you checked if the fsGroup setting in the security context has any effect? - Yes. fsGroup only changes the group value to the one that I set(eg: 1000) no changes to the user(Still remains root). I added the runAsUser and set it to the rundeck UID - 1000. That is not making any changes to the permissions of the volume once POD comes up.

spec:

      securityContext:

        runAsUser: 1000

rundeck@rundeck-:~$ id rundeck
uid=1000(rundeck) gid=0(root) groups=0(root),27(sudo)
rundeck@rundeck-:~$ id
uid=1000(rundeck) gid=0(root) groups=0(root),27(sudo)

Example - realm.properties is one of the files that I applied as volume mounts. It is having the permissions root:root

rundeck@rundeck-:~/server/config$ ls -lr
total 32
-rwxrwxr-x 1 rundeck root  160 Dec  5 22:35 ssl.properties
-rw-r--r-- 1 rundeck root 2689 Feb 10 21:57 rundeck-config.properties
-rw-r--r-- 1 root    root  118 Feb 10 21:57 realm.properties
-rw-r--r-- 1 rundeck root 8320 Feb 10 21:57 log4j2.properties
-rw-r--r-- 1 rundeck root 1110 Feb 10 21:57 jaas-loginmodule.conf
-rw-r--r-- 1 rundeck root   95 Feb 10 21:57 artifact-repositories.yaml

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/rundeck-discuss/301eb8ce-9309-4507-b09e-838ac7cbb097n%40googlegroups.com.

[Endrina Barrios]

Hi, thanks for the information. 

You could try using an init container to adjust the permissions.

For example:

initContainers: 

- name: init-permissions 

  image: busybox 

  command: ["sh", "-c", "cp -R /config/* /data/ && chown -R 1000:1000 /data"] 

Let me know if you need further assistance or additional details.

Kind regards.