csi-gcs: Cannot mount volume with non-root user
Steps
kubectl create namespace csi-gcskubectl create secret generic csi-gcs-secret --from-literal=bucket=my-gcs-bucket --from-file=key=./key.json --namespace csi-gcskubectl apply -f csi-gcs-sc.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: csi-gcs
namespace: csi-gcs
provisioner: gcs.csi.ofek.dev
volumeBindingMode: Immediate
allowVolumeExpansion: false
reclaimPolicy: Retain
parameters:
csi.storage.k8s.io/node-publish-secret-name: csi-gcs-secret
csi.storage.k8s.io/node-publish-secret-namespace: csi-gcs
kubectl apply -f csi-gcs-pv.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: csi-gcs-pv
namespace: csi-gcs
#annotations:
#pv.beta.kubernetes.io/gid: "1000"
spec:
accessModes:
- ReadWriteOnce
capacity:
storage: 50Gi
persistentVolumeReclaimPolicy: Retain
storageClassName: csi-gcs
csi:
driver: gcs.csi.ofek.dev
volumeHandle: csi-gcs
nodePublishSecretRef:
name: csi-gcs-secret
namespace: csi-gcs
kubectl apply -f csi-gcs-pvc
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: csi-gcs-pvc
namespace: csi-gcs
labels:
app: csi-gcs-example
spec:
storageClassName: csi-gcs
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 50Gi
Tried to chown objects with initcontainers command
kubectl apply -f csi-gcs-test.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: csi-gcs-test
namespace: csi-gcs
labels:
app: csi-gcs-test
spec:
selector:
matchLabels:
app: csi-gcs-test
template:
metadata:
labels:
app: csi-gcs-test
spec:
initContainers:
- name: chown-er
image: busybox:latest
securityContext:
runAsUser: 0
command:
- /bin/chown
- -R
- "1000:1000"
- /data
volumeMounts:
- name: csi-gcs-pvc
mountPath: /data
containers:
- name: writer
image: busybox
command:
- sleep
- infinity
volumeMounts:
- name: csi-gcs-pvc
mountPath: /data
- name: reader
image: busybox
command:
- sleep
- infinity
volumeMounts:
- name: csi-gcs-pvc
mountPath: /data
readOnly: true
volumes:
- name: csi-gcs-pvc
persistentVolumeClaim:
claimName: csi-gcs-pvc
kubectl get sc,pv,pvc -n csi-gcs
storageclass.storage.k8s.io/csi-gcs gcs.csi.ofek.dev 14d
storageclass.storage.k8s.io/singlewriter-standard pd.csi.storage.gke.io 16d
persistentvolume/csi-gcs-pv 50Gi RWO Retain Bound csi-gcs/csi-gcs-pvc csi-gcs 14h
persistentvolumeclaim/csi-gcs-pvc Bound csi-gcs-pv 50Gi RWO csi-gcs 14h
kubectl get deploy -n csi-gcs
NAME READY UP-TO-DATE AVAILABLE AGE
csi-gcs-test 1/1 1 1 60s
kubectl -n csi-gcs exec -it $(kubectl -n csi-gcs get po |grep csi | cut -f 1 -d " ") -c writer -- ls -l /data
total 3
-rw-r--r-- 1 root root 11 Apr 2 19:53 hello_world.hel
Is there any way to mount it as non-root user? Tried also with gid annotations on pv and
fsGroup securityContext on deployment, with the same result
annotations:
pv.beta.kubernetes.io/gid: "1000"
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 26 (7 by maintainers)
Confirmed. The solution provided by @maennchen:
Worked correctly.
edit: fixed typo
Found the mistake on implicitDirs flag:
Thank you for your help. Now it works correctly.