Docker – How to mount azurefile persistentVolume in a Kubernetes pod with non-root user rights

azuredockerkubernetespermissionsstorage

I'm running a Kubernetes 1.8.4 cluster on Azure (populated with acs-engine v0.10).

I need to run a Redis pod with data persistency, so I'm using persistentVolume / persistentVolumeClaim with azurefile storageClass so that Redis can save to that volume.

Problem is that Redis container is running with redis:redis user and that Kubernetes mounts the volume with a root:root ownership and 0700 access mode.

=> So Redis can't write to that volume and dies.

Normally I'd fix this with mountOptions, but I fear this option is not supported for AzureFiles as per Kubernetes documentation:

Note: Not all Persistent volume types support mount options.

Did anybody ever managed to mount AzureFiles volumes in a Kubernetes pod with non-root access ? If so, I'd love to know how 🙂

TIA!

Best Answer

After reviewing this providential CloudBees blog post, it turned out that mountOptions are supported for azurefile, it's just that I needed to create a dedicated StorageClass and consume it via a PersistentVolumeClaim.

---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: redis-sc
  annotations:
  labels:
    kubernetes.io/cluster-service: 'true'
provisioner: kubernetes.io/azure-file
parameters:
reclaimPolicy: 'Delete'
mountOptions:
  - "uid=999,gid=999"

Related Solutions

Docker Volume from Laptop to Persistent Volume on Google Cloud Kubernetes

This sounds like your container needs a pre-populated volume to start up. You could use hostPath like you mentioned but this is not recommended for a couple reasons. Instead, you'll transfer your data to a GCE PD, make sure your PV uses that pre-existing disk and then mount that to your pod. Here's some details:

1. Copy data to a GCE PD: Spin up a VM then either transfer your data from your local machine to the VM or create the filesystem and prep the files required directly from the VM instead of your local machine.

2. Prep a GCE disk for PV use: Either detach the GCE disk from your VM or take a snapshot of the disk and create a new GCE PD from the snapshot.

3. Create a PV to consume the disk: It is important to follow the documentation for this step carefully. The default behavior of PVC in GKE is to be provisioned dynamically using a StorageClass. Instead, we want to make sure the PV is created first and targets the GCE-PD explicitely. GCP has a good walk through on how to do this.

4. Create the PVC to target the PV: As I mentioned, the default behavior will be to create a brand new disk dynamically which will be a blank new disk. Make sure to follow the walk through carefully. If any of the fields are set incorrectly, a different PV will be created.

5. Mount the PVC in your pod: First of all note that GCE disks don't support read/write many, so this PVC can only be used by a single pod.

If you need to have more than a single pod, you'll need create multiple PVCs using the above steps. If the files and filesystem the container needs only has to be read only, then you have two other options to make it easier:

Create the GCE disk in readOnlyMnay mode, this way the same PVC can be used across multiple pods.
Use a configMap with all the files you need. This takes a little bit more planning before hand to make sure all the appropriate files are in the right place

Mounting EKS EFS with CSI Times Out before Pod Comes Up

would you mind trying to create the CSIDriver object and the Daemonset related as well?

apiVersion: storage.k8s.io/v1beta1
kind: CSIDriver
metadata:
  name: efs.csi.aws.com
spec:
  attachRequired: false
---
# Node Service
kind: DaemonSet
apiVersion: apps/v1
metadata:
  name: efs-csi-node
  namespace: kube-system
spec:
  selector:
    matchLabels:
      app: efs-csi-node
  template:
    metadata:
      labels:
        app: efs-csi-node
    spec:
      nodeSelector:
        kubernetes.io/os: linux
        kubernetes.io/arch: amd64
      hostNetwork: true
      priorityClassName: system-node-critical
      tolerations:
        - operator: Exists
      containers:
        - name: efs-plugin
          securityContext:
            privileged: true
          image: amazon/aws-efs-csi-driver:latest
          args:
            - --endpoint=$(CSI_ENDPOINT)
            - --logtostderr
            - --v=5
          env:
            - name: CSI_ENDPOINT
              value: unix:/csi/csi.sock
          volumeMounts:
            - name: kubelet-dir
              mountPath: /var/lib/kubelet
              mountPropagation: "Bidirectional"
            - name: plugin-dir
              mountPath: /csi
            - name: efs-state-dir
              mountPath: /var/run/efs
          ports:
            - containerPort: 9809
              name: healthz
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /healthz
              port: healthz
            initialDelaySeconds: 10
            timeoutSeconds: 3
            periodSeconds: 2
            failureThreshold: 5
        - name: csi-driver-registrar
          image: quay.io/k8scsi/csi-node-driver-registrar:v1.3.0
          args:
            - --csi-address=$(ADDRESS)
            - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
            - --v=5
          env:
            - name: ADDRESS
              value: /csi/csi.sock
            - name: DRIVER_REG_SOCK_PATH
              value: /var/lib/kubelet/plugins/efs.csi.aws.com/csi.sock
            - name: KUBE_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          volumeMounts:
            - name: plugin-dir
              mountPath: /csi
            - name: registration-dir
              mountPath: /registration
            - name: efs-utils-config
              mountPath: /etc/amazon/efs
        - name: liveness-probe
          image: quay.io/k8scsi/livenessprobe:v2.0.0
          args:
            - --csi-address=/csi/csi.sock
            - --health-port=9809
          volumeMounts:
            - mountPath: /csi
              name: plugin-dir
      volumes:
        - name: kubelet-dir
          hostPath:
            path: /var/lib/kubelet
            type: Directory
        - name: registration-dir
          hostPath:
            path: /var/lib/kubelet/plugins_registry/
            type: Directory
        - name: plugin-dir
          hostPath:
            path: /var/lib/kubelet/plugins/efs.csi.aws.com/
            type: DirectoryOrCreate
        - name: efs-state-dir
          hostPath:
            path: /var/run/efs
            type: DirectoryOrCreate
        - name: efs-utils-config
          hostPath:
            path: /etc/amazon/efs
            type: DirectoryOrCreate
---

or skip the manual process above and just execute:

kubectl apply -k "github.com/kubernetes-sigs/aws-efs-csi-driver/deploy/kubernetes/overlays/stable/ecr/?ref=release-1.0"

then try to spin up your stuff again.

hope it helps.

See here for possible release updates.

Best Answer

Related Solutions

Docker Volume from Laptop to Persistent Volume on Google Cloud Kubernetes

Mounting EKS EFS with CSI Times Out before Pod Comes Up

Related Topic