Read-Write permissions issue for PVC in Azure Kubernetes Service

Question

Currently I try to setup a Nextcloud on Azure Kubernetes Service as an exercise. Basically the application seems running, but after connecting the Database, Nextcloud ending with something like...

Please change the permissions of your storage to 0770 to prevent other people from accessing your data

I guess cause I used a azurefile share as persistent volume. My pvc deployment looks like this:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nextcloud-shared-storage-claim
  labels: 
    app: nextcloud
spec:
  accessModes:
  - ReadWriteOnce
  storageClassName: azurefile
  resources:
    requests:
      storage: 5Gi

I've already researched on that topic and find ways to realize the use of permissions for pods with securityContext. Because I've only just started with Kubernetes on Azure I struggle a bit on binding my Deployment file for nextcloud with a pod, that applies the permissions.

To complete the post - here is the deployment file for the Nextcloud I used

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nextcloud-server
  labels:
    app: nextcloud
spec:
  replicas: 1
  selector:
    matchLabels:
      pod-label: nextcloud-server-pod
  template:
    metadata:
      labels:
        pod-label: nextcloud-server-pod
    spec:
      containers:
      - name: nextcloud
        image: nextcloud:20-apache
        volumeMounts:
        - name: server-storage
          mountPath: /var/www/html
          subPath: server-data
      volumes:
      - name: server-storage
        persistentVolumeClaim:
          claimName: nextcloud-shared-storage-claim
---
apiVersion: v1
kind: Service
metadata:
  name: nextcloud-server
  labels:
    app: nextcloud
spec:
  selector:
    pod-label: nextcloud-server-pod
  ports:
  - protocol: TCP
    port: 80

I guess/hope that it's totally simple.

The claim name is incorrect in your deployment file, it should be `nextcloud-shared-storage-claim` and not `nextcloud-shared-storage-claim-2`. Are you trying to change the permissions on `/var/www/html`? — Nick Graham, Oct 20 '20 at 16:51
Sorry, that's a mistake in the post - i'll correct this. In my deployment it's correct. — elludorado, Oct 20 '20 at 16:59
@NickGraham I guess... so I actually thought about changing the permission for the pvc, but if changing the permission for the path also can be a solution for the problem, I'll prefer do it like that. — elludorado, Oct 20 '20 at 17:05
To modify the permissions on a mounted volume you’ll need to execute a script after the container starts up. Some images give you the option to copy scripts into a particular folder that are then executed at start up, check the docs to see if the image your using provides that functionality — Nick Graham, Oct 20 '20 at 18:08
Ok great, thank you! Can you please tell me the name of this functionallity? — elludorado, Oct 20 '20 at 18:44
According to this [comment](https://github.com/Azure/AKS/issues/225#issuecomment-371007021) you can try specify this permissions in your storage class. Additionally [there](https://stackoverflow.com/a/64022263/11977760) is an example of what @NickGraham mentioned in his comment. Could you please try it and let me know if it worked? — Jakub, Oct 21 '20 at 09:36

score 1 · Accepted Answer · answered Nov 03 '20 at 10:47

Posting this answer as community wiki since it might be helpful for the community. Feel free to expand.

As mentioned by @Nick Graham in the comments

To modify the permissions on a mounted volume you’ll need to execute a script after the container starts up. Some images give you the option to copy scripts into a particular folder that are then executed at start up, check the docs to see if the image your using provides that functionality

There are few examples.

Additionally according to this comment you can try to specify this permissions in your storage class.

Read-Write permissions issue for PVC in Azure Kubernetes Service

1 Answers1