4

I create image running with non-root user but when I use configmap for volume ,files came with volume are root user. I want to change user but I don't know how to change of user.

I search from google and stackoverflow but I find nothing about it.

   volumeMounts:
      - name: test
        mountPath: /opt/KOBIL/SSMS/home/configutil
  volumes:
    - name: test
      configMap:
        name: slaveconfig




Actual:
lrwxrwxrwx. 1 root root 17 May 21 12:53 config.xml -> ..data/config.xml
lrwxrwxrwx. 1 root root 18 May 21 12:53 modules.xml -> ..data/modules.xml

Expected:
lrwxrwxrwx. 1 xxuser xxuser 17 May 21 12:53 config.xml -> ..data/config.xml
lrwxrwxrwx. 1 xxuser xxuser 18 May 21 12:53 modules.xml -> ..data/modules.xml
O.Kaplan
  • 59
  • 1
  • 5
  • does this help? https://stackoverflow.com/questions/43544370/kubernetes-how-to-set-volumemount-user-group-and-file-permissions – Amityo May 21 '19 at 14:20
  • Could you elaborate? Did you try [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)? You can run a pod as specific user or group? – PjoterS Mar 15 '21 at 09:03

2 Answers2

0

This came as one of the challenges for the Kubernetes deployments/statefulsets, when you have to run process inside a container as non-root user. But, when you mount a volume to a pod, it always gets mounted with the permission of root:root. So, the non-root user must have access to the folder where it wants to read and write data.

Please follow the below steps for the same.

Create usergroup and assign groudID in Dockerfile. Create user with userid and add to the group in Dockerfile. change ownership recursively for the folders the user process wants to read/write. Add the below lines in deployment/Statefulset in pod spec context.

spec: 
  securityContext: 
    runAsUser: 1099 
    runAsGroup: 1099 
    fsGroup: 1099

runAsUser: specifies that for any Containers in the Pod, all processes run with user ID 1099

runAsGroup: specifies the primary group ID of 1099 for all processes within any containers of the Pod.(If this field is omitted, the primary group ID of the containers will be root(0),Any files created will also be owned by user 1099and group 1099 when runAsGroup is specified)

fsGroup: specifies the owner of any volume attached will be owner by GroupId 1099 and any files created under it will be having permission of nonrootgroup:nonrootgroup.

M3t0r
  • 182
  • 9
rajdeepbs29
  • 1,211
  • 12
  • 9
  • 3
    very bad design to couple the users that execute the processes to the owners of the files. What if I need to run as userX but I need a file with permission userY? – AFP_555 Oct 01 '20 at 21:00
0

To prevent the file specified by configMap from being created under root user (regardless of container user ID, specified with securityContext.runAsUser, which configMap ignores and defaults to root user when creating the file), you can change the default permissions set to the config file at runtime to a+rwx (0777) with configMap.defaultMode:

       volumeMounts:
        - name: test
          mountPath: /data/config.xml
          subPath: config.xml
      - name: test
        configMap:
          name: test
          defaultMode: 0777

More info

Unfortunately, k8s docs on ConfigMaps omit this crucial detail, as seen from this Github post, where this setting had to be transferred from Secrets (see docs).

The file will still be created by root user (securityContext.runAsUser will still be ignored), but the permissions for all users will be changed to rwx, like in this example for the OpenEBS Hostpath for the jupyter_notebook_config.py file (where Jupyter Notebook needs to have write access):

drwxrwsrwx 7    0 100 4096 Jul  3 20:49 ..
drwxrwsr-x 3    0 100 4096 Jul  3 20:08 .
-rw-r--r-- 1 1000 100  360 Jul  3 20:08 jupyter_nbconvert_config.json
drwxr-sr-x 2 1000 100 4096 Jul  3 20:08 nbconfig
-rw-r--r-- 1 1000 100  109 Jul  3 20:08 jupyter_notebook_config.json
-rwxrwxrwx 1    0 100   35 Jul  3 20:08 jupyter_notebook_config.py
mirekphd
  • 4,799
  • 3
  • 38
  • 59