1

I have a Kubernetes pod running Laravel but I get the following permission error on load:

Permission denied

If I access the pod interactively and run chmod on /storage:

chmod on storage

The laravel app works. How can I get this command to run on deployment? I've tried the following but I get a 502 nginx error:

apiVersion: apps/v1
kind: Deployment
metadata:
    name: app
spec:
    replicas: 1
    selector:
        matchLabels:
            container: app
    template:
        metadata:
            labels:
                container: app
        spec:
            containers:
                - name: app
                  image: my/toolkit-app:test
                  command: ["chmod -R 777 /storage"]
                  securityContext:
                      runAsUser: 0
                  ports:
                      - containerPort: 80
            imagePullSecrets:
                - name: my-cred
Lee
  • 1,485
  • 2
  • 24
  • 44
  • 1
    If you have the `securityContext:` option to run as root, do you actually need the `chmod` command? Are there volume mounts you haven't included, or could you `RUN chown` in your Dockerfile to give that directory appropriate ownership.? Also see [Kubernetes: how to set VolumeMount user group and file permissions](https://stackoverflow.com/questions/43544370/kubernetes-how-to-set-volumemount-user-group-and-file-permissions); even if you're not mounting a volume it does discuss how to use an init container for this. – David Maze Apr 09 '21 at 10:25
  • @Lee you have duplicated question https://stackoverflow.com/questions/67005208/kubernetes-minikube-laravel-failed-to-open-stream-permission-denied - please delete one – Malgorzata Apr 09 '21 at 10:31

1 Answers1

5

You can use a PostStart Container hook.

apiVersion: apps/v1
kind: Deployment
metadata:
    name: app
spec:
    replicas: 1
    selector:
        matchLabels:
            container: app
    template:
        metadata:
            labels:
                container: app
        spec:
            containers:
                - name: app
                  image: my/toolkit-app:test
                  securityContext:
                      runAsUser: 0
                  ports:
                      - containerPort: 80
                  lifecycle:
                      postStart:
                          exec:
                              command: ["/bin/sh", "-c", "chmod -R 777 /storage"]
            imagePullSecrets:
                - name: my-cred

One thing consider:

This hook is executed immediately after a container is created. However, there is no guarantee that the hook will execute before the container ENTRYPOINT. No parameters are passed to the handler.

Daniel Karapishchenko
  • 333
  • 1
  • 8