Kubernetes NFS 持久卷权限被拒绝
Kubernetes NFS persistent volumes permission denied
我在 Kubernetes 中的 POD 上有一个应用程序 运行。
我想将一些输出文件日志存储在持久存储卷上。
为此,我在 NFS 上创建了一个卷,并通过相关的卷声明将其绑定到 POD。
当我尝试写入或访问共享文件夹时,我收到一条 "permission denied" 消息,因为 NFS 显然是只读的。
以下是我用来创建卷的json文件:
{
"kind": "PersistentVolume",
"apiVersion": "v1",
"metadata": {
"name": "task-pv-test"
},
"spec": {
"capacity": {
"storage": "10Gi"
},
"nfs": {
"server": <IPAddress>,
"path": "/export"
},
"accessModes": [
"ReadWriteMany"
],
"persistentVolumeReclaimPolicy": "Delete",
"storageClassName": "standard"
}
}
以下为POD配置文件
kind: Pod
apiVersion: v1
metadata:
name: volume-test
spec:
volumes:
- name: task-pv-test-storage
persistentVolumeClaim:
claimName: task-pv-test-claim
containers:
- name: volume-test
image: <ImageName>
volumeMounts:
- mountPath: /home
name: task-pv-test-storage
readOnly: false
有没有办法更改权限?
更新
这是 PVC 和 NFS 配置:
聚氯乙烯:
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: task-pv-test-claim
spec:
storageClassName: standard
accessModes:
- ReadWriteMany
resources:
requests:
storage: 3Gi
NFS 配置
{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "nfs-client-provisioner-557b575fbc-hkzfp",
"generateName": "nfs-client-provisioner-557b575fbc-",
"namespace": "default",
"selfLink": "/api/v1/namespaces/default/pods/nfs-client-provisioner-557b575fbc-hkzfp",
"uid": "918b1220-423a-11e8-8c62-8aaf7effe4a0",
"resourceVersion": "27228",
"creationTimestamp": "2018-04-17T12:26:35Z",
"labels": {
"app": "nfs-client-provisioner",
"pod-template-hash": "1136131967"
},
"ownerReferences": [
{
"apiVersion": "extensions/v1beta1",
"kind": "ReplicaSet",
"name": "nfs-client-provisioner-557b575fbc",
"uid": "3239b14a-4222-11e8-8c62-8aaf7effe4a0",
"controller": true,
"blockOwnerDeletion": true
}
]
},
"spec": {
"volumes": [
{
"name": "nfs-client-root",
"nfs": {
"server": <IPAddress>,
"path": "/Kubernetes"
}
},
{
"name": "nfs-client-provisioner-token-fdd2c",
"secret": {
"secretName": "nfs-client-provisioner-token-fdd2c",
"defaultMode": 420
}
}
],
"containers": [
{
"name": "nfs-client-provisioner",
"image": "quay.io/external_storage/nfs-client-provisioner:latest",
"env": [
{
"name": "PROVISIONER_NAME",
"value": "<IPAddress>/Kubernetes"
},
{
"name": "NFS_SERVER",
"value": <IPAddress>
},
{
"name": "NFS_PATH",
"value": "/Kubernetes"
}
],
"resources": {},
"volumeMounts": [
{
"name": "nfs-client-root",
"mountPath": "/persistentvolumes"
},
{
"name": "nfs-client-provisioner-token-fdd2c",
"readOnly": true,
"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"
}
],
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"imagePullPolicy": "Always"
}
],
"restartPolicy": "Always",
"terminationGracePeriodSeconds": 30,
"dnsPolicy": "ClusterFirst",
"serviceAccountName": "nfs-client-provisioner",
"serviceAccount": "nfs-client-provisioner",
"nodeName": "det-vkube-s02",
"securityContext": {},
"schedulerName": "default-scheduler",
"tolerations": [
{
"key": "node.kubernetes.io/not-ready",
"operator": "Exists",
"effect": "NoExecute",
"tolerationSeconds": 300
},
{
"key": "node.kubernetes.io/unreachable",
"operator": "Exists",
"effect": "NoExecute",
"tolerationSeconds": 300
}
]
},
"status": {
"phase": "Running",
"hostIP": <IPAddress>,
"podIP": "<IPAddress>,
"startTime": "2018-04-17T12:26:35Z",
"qosClass": "BestEffort"
}
}
我刚刚从 nfs 配置中删除了一些状态信息以使其更短
你检查过目录的权限了吗?确保所有人都可以获得读取权限。
一个简单的方法是访问 nfs 存储,然后 chmod 777,或者使用卷测试容器中的用户 ID 进行 chown
我对您尝试完成工作的方式有点困惑,无论如何,如果我理解正确,请尝试这个示例:
volumeClaimTemplates:
- metadata:
name: data
namespace: kube-system
labels:
k8s-app: something
monitoring: something
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
然后也许初始化容器会做一些事情:
initContainers:
- name: prometheus-init
image: /something/bash-alpine:1.5
command:
- chown
- -R
- 65534:65534
- /data
volumeMounts:
- name: data
mountPath: /data
或者是您错过的 volumeMounts:
volumeMounts:
- name: config-volume
mountPath: /etc/config
- name: data
mountPath: /data
我最后的评论是要注意容器,我认为你只允许在 /tmp 中写入,还是仅适用于 CoreOS?我得查一下。
如果您为 pod 配置设置了正确的 securityContext,您可以确保使用正确的权限装载该卷。
示例:
apiVersion: v1
kind: Pod
metadata:
name: demo
spec:
securityContext:
fsGroup: 2000
volumes:
- name: task-pv-test-storage
persistentVolumeClaim:
claimName: task-pv-test-claim
containers:
- name: demo
image: example-image
volumeMounts:
- name: task-pv-test-storage
mountPath: /data/demo
在上面的示例中,存储将安装在 /data/demo,组 ID 为 2000,由 fsGroup 设置。通过设置 fsGroup 容器的所有进程也将成为补充组 ID 2000 的一部分,因此您应该可以访问已安装的文件。
您可以在此处阅读有关 pod 安全上下文的更多信息:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
感谢白栋天。
例如,如果 pod securityContext 设置为:
securityContext:
runAsUser: 1000
fsGroup: 1000
您将通过 ssh 连接到 NFS 主机并且 运行
chown 1000:1000 -R /some/nfs/path
如果你不知道 user:group 或许多 pods 会安装它,你可以 运行
chmod 777 -R /some/nfs/path
我在 Kubernetes 中的 POD 上有一个应用程序 运行。 我想将一些输出文件日志存储在持久存储卷上。
为此,我在 NFS 上创建了一个卷,并通过相关的卷声明将其绑定到 POD。 当我尝试写入或访问共享文件夹时,我收到一条 "permission denied" 消息,因为 NFS 显然是只读的。
以下是我用来创建卷的json文件:
{
"kind": "PersistentVolume",
"apiVersion": "v1",
"metadata": {
"name": "task-pv-test"
},
"spec": {
"capacity": {
"storage": "10Gi"
},
"nfs": {
"server": <IPAddress>,
"path": "/export"
},
"accessModes": [
"ReadWriteMany"
],
"persistentVolumeReclaimPolicy": "Delete",
"storageClassName": "standard"
}
}
以下为POD配置文件
kind: Pod
apiVersion: v1
metadata:
name: volume-test
spec:
volumes:
- name: task-pv-test-storage
persistentVolumeClaim:
claimName: task-pv-test-claim
containers:
- name: volume-test
image: <ImageName>
volumeMounts:
- mountPath: /home
name: task-pv-test-storage
readOnly: false
有没有办法更改权限?
更新
这是 PVC 和 NFS 配置:
聚氯乙烯:
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: task-pv-test-claim
spec:
storageClassName: standard
accessModes:
- ReadWriteMany
resources:
requests:
storage: 3Gi
NFS 配置
{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "nfs-client-provisioner-557b575fbc-hkzfp",
"generateName": "nfs-client-provisioner-557b575fbc-",
"namespace": "default",
"selfLink": "/api/v1/namespaces/default/pods/nfs-client-provisioner-557b575fbc-hkzfp",
"uid": "918b1220-423a-11e8-8c62-8aaf7effe4a0",
"resourceVersion": "27228",
"creationTimestamp": "2018-04-17T12:26:35Z",
"labels": {
"app": "nfs-client-provisioner",
"pod-template-hash": "1136131967"
},
"ownerReferences": [
{
"apiVersion": "extensions/v1beta1",
"kind": "ReplicaSet",
"name": "nfs-client-provisioner-557b575fbc",
"uid": "3239b14a-4222-11e8-8c62-8aaf7effe4a0",
"controller": true,
"blockOwnerDeletion": true
}
]
},
"spec": {
"volumes": [
{
"name": "nfs-client-root",
"nfs": {
"server": <IPAddress>,
"path": "/Kubernetes"
}
},
{
"name": "nfs-client-provisioner-token-fdd2c",
"secret": {
"secretName": "nfs-client-provisioner-token-fdd2c",
"defaultMode": 420
}
}
],
"containers": [
{
"name": "nfs-client-provisioner",
"image": "quay.io/external_storage/nfs-client-provisioner:latest",
"env": [
{
"name": "PROVISIONER_NAME",
"value": "<IPAddress>/Kubernetes"
},
{
"name": "NFS_SERVER",
"value": <IPAddress>
},
{
"name": "NFS_PATH",
"value": "/Kubernetes"
}
],
"resources": {},
"volumeMounts": [
{
"name": "nfs-client-root",
"mountPath": "/persistentvolumes"
},
{
"name": "nfs-client-provisioner-token-fdd2c",
"readOnly": true,
"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"
}
],
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"imagePullPolicy": "Always"
}
],
"restartPolicy": "Always",
"terminationGracePeriodSeconds": 30,
"dnsPolicy": "ClusterFirst",
"serviceAccountName": "nfs-client-provisioner",
"serviceAccount": "nfs-client-provisioner",
"nodeName": "det-vkube-s02",
"securityContext": {},
"schedulerName": "default-scheduler",
"tolerations": [
{
"key": "node.kubernetes.io/not-ready",
"operator": "Exists",
"effect": "NoExecute",
"tolerationSeconds": 300
},
{
"key": "node.kubernetes.io/unreachable",
"operator": "Exists",
"effect": "NoExecute",
"tolerationSeconds": 300
}
]
},
"status": {
"phase": "Running",
"hostIP": <IPAddress>,
"podIP": "<IPAddress>,
"startTime": "2018-04-17T12:26:35Z",
"qosClass": "BestEffort"
}
}
我刚刚从 nfs 配置中删除了一些状态信息以使其更短
你检查过目录的权限了吗?确保所有人都可以获得读取权限。
一个简单的方法是访问 nfs 存储,然后 chmod 777,或者使用卷测试容器中的用户 ID 进行 chown
我对您尝试完成工作的方式有点困惑,无论如何,如果我理解正确,请尝试这个示例:
volumeClaimTemplates:
- metadata:
name: data
namespace: kube-system
labels:
k8s-app: something
monitoring: something
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
然后也许初始化容器会做一些事情:
initContainers:
- name: prometheus-init
image: /something/bash-alpine:1.5
command:
- chown
- -R
- 65534:65534
- /data
volumeMounts:
- name: data
mountPath: /data
或者是您错过的 volumeMounts:
volumeMounts:
- name: config-volume
mountPath: /etc/config
- name: data
mountPath: /data
我最后的评论是要注意容器,我认为你只允许在 /tmp 中写入,还是仅适用于 CoreOS?我得查一下。
如果您为 pod 配置设置了正确的 securityContext,您可以确保使用正确的权限装载该卷。
示例:
apiVersion: v1
kind: Pod
metadata:
name: demo
spec:
securityContext:
fsGroup: 2000
volumes:
- name: task-pv-test-storage
persistentVolumeClaim:
claimName: task-pv-test-claim
containers:
- name: demo
image: example-image
volumeMounts:
- name: task-pv-test-storage
mountPath: /data/demo
在上面的示例中,存储将安装在 /data/demo,组 ID 为 2000,由 fsGroup 设置。通过设置 fsGroup 容器的所有进程也将成为补充组 ID 2000 的一部分,因此您应该可以访问已安装的文件。
您可以在此处阅读有关 pod 安全上下文的更多信息:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
感谢白栋天
securityContext:
runAsUser: 1000
fsGroup: 1000
您将通过 ssh 连接到 NFS 主机并且 运行
chown 1000:1000 -R /some/nfs/path
如果你不知道 user:group 或许多 pods 会安装它,你可以 运行
chmod 777 -R /some/nfs/path