How can the ceph-csi chart be configured so that persistent volumes have permissions for a non-root user? #4927
Replies: 1 comment
-
|
@wangchao6856, you can use specify securityContext in pod/container. By setting Here's an example, apiVersion: v1
kind: Pod
metadata:
name: csicephfs-demo-pod
spec:
securityContext:
fsGroup: 2000
containers:
- name: c1
securityContext:
runAsUser: 2000
image: quay.io/centos/centos:latest
command:
- "/bin/sleep"
- "999999"
volumeMounts:
- name: mypvc
mountPath: /mount
volumes:
- name: mypvc
persistentVolumeClaim:
claimName: cephfs-pvc
readOnly: falseIn this example, both UID and GID are set to 2000. pm@dhcp53-176:~/github.com/ceph/ceph-csi/examples/cephfs$ k exec csicephfs-demo-pod -c c1 -- ls -l
...
drwxr-xr-x 2 2000 2000 6 Oct 29 08:24 mountThis allows the non-root-user to write to the mounted directory pm@dhcp53-176:~/github.com/ceph/ceph-csi/examples/cephfs$ k exec -it csicephfs-demo-pod -c c1 -- bash
bash-4.4$ id
uid=2000 gid=0(root) groups=0(root),2000
bash-4.4$ echo "ceph-csi" > /mount/data.txt
bash-4.4$ ls /mount/
data.txtdoes this answer your question @wangchao6856? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
There is an existing Ceph cluster outside of Kubernetes. By deploying the ceph-csi Helm chart, it is now possible to dynamically create PVs through a StorageClass, which automatically creates a CephFS subvolume on Ceph. However, the persistent volume is created by the root user with default permissions set to 755, which results in no write permissions when the CephFS PV is mounted by a container running as a non-root user. How can the chart or StorageClass be configured so that dynamically created PVs have permissions for a non-root user? Specifically, how can the uid, gid, and mode parameters be configured?
Beta Was this translation helpful? Give feedback.
All reactions