我有一个在Kubernetes中的POD上运行的应用程序。我想将一些输出文件日志存储在持久存储卷上。
为此,我在NFS上创建了一个卷,并通过相关的卷声明将其绑定到POD。当我尝试写入或访问共享文件夹时,由于“ NFS”显然是只读的,因此收到“权限被拒绝”消息。
以下是我用来创建卷的json文件:
{ "kind": "PersistentVolume", "apiVersion": "v1", "metadata": { "name": "task-pv-test" }, "spec": { "capacity": { "storage": "10Gi" }, "nfs": { "server": <IPAddress>, "path": "/export" }, "accessModes": [ "ReadWriteMany" ], "persistentVolumeReclaimPolicy": "Delete", "storageClassName": "standard" } }
以下是POD配置文件
kind: Pod apiVersion: v1 metadata: name: volume-test spec: volumes: - name: task-pv-test-storage persistentVolumeClaim: claimName: task-pv-test-claim containers: - name: volume-test image: <ImageName> volumeMounts: - mountPath: /home name: task-pv-test-storage readOnly: false
有没有办法更改权限?
更新
这是PVC和NFS配置:
PVC:
kind: PersistentVolumeClaim apiVersion: v1 metadata: name: task-pv-test-claim spec: storageClassName: standard accessModes: - ReadWriteMany resources: requests: storage: 3Gi
NFS配置
{ "kind": "Pod", "apiVersion": "v1", "metadata": { "name": "nfs-client-provisioner-557b575fbc-hkzfp", "generateName": "nfs-client-provisioner-557b575fbc-", "namespace": "default", "selfLink": "/api/v1/namespaces/default/pods/nfs-client-provisioner-557b575fbc-hkzfp", "uid": "918b1220-423a-11e8-8c62-8aaf7effe4a0", "resourceVersion": "27228", "creationTimestamp": "2018-04-17T12:26:35Z", "labels": { "app": "nfs-client-provisioner", "pod-template-hash": "1136131967" }, "ownerReferences": [ { "apiVersion": "extensions/v1beta1", "kind": "ReplicaSet", "name": "nfs-client-provisioner-557b575fbc", "uid": "3239b14a-4222-11e8-8c62-8aaf7effe4a0", "controller": true, "blockOwnerDeletion": true } ] }, "spec": { "volumes": [ { "name": "nfs-client-root", "nfs": { "server": <IPAddress>, "path": "/Kubernetes" } }, { "name": "nfs-client-provisioner-token-fdd2c", "secret": { "secretName": "nfs-client-provisioner-token-fdd2c", "defaultMode": 420 } } ], "containers": [ { "name": "nfs-client-provisioner", "image": "quay.io/external_storage/nfs-client-provisioner:latest", "env": [ { "name": "PROVISIONER_NAME", "value": "<IPAddress>/Kubernetes" }, { "name": "NFS_SERVER", "value": <IPAddress> }, { "name": "NFS_PATH", "value": "/Kubernetes" } ], "resources": {}, "volumeMounts": [ { "name": "nfs-client-root", "mountPath": "/persistentvolumes" }, { "name": "nfs-client-provisioner-token-fdd2c", "readOnly": true, "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount" } ], "terminationMessagePath": "/dev/termination-log", "terminationMessagePolicy": "File", "imagePullPolicy": "Always" } ], "restartPolicy": "Always", "terminationGracePeriodSeconds": 30, "dnsPolicy": "ClusterFirst", "serviceAccountName": "nfs-client-provisioner", "serviceAccount": "nfs-client-provisioner", "nodeName": "det-vkube-s02", "securityContext": {}, "schedulerName": "default-scheduler", "tolerations": [ { "key": "node.kubernetes.io/not-ready", "operator": "Exists", "effect": "NoExecute", "tolerationSeconds": 300 }, { "key": "node.kubernetes.io/unreachable", "operator": "Exists", "effect": "NoExecute", "tolerationSeconds": 300 } ] }, "status": { "phase": "Running", "hostIP": <IPAddress>, "podIP": "<IPAddress>, "startTime": "2018-04-17T12:26:35Z", "qosClass": "BestEffort" } }
我刚刚从nfs配置中删除了一些状态信息以使其更短
如果securityContext为Pod配置设置了适当的设置,则可以确保已使用适当的权限装载了该卷。
securityContext
例:
apiVersion: v1 kind: Pod metadata: name: demo spec: securityContext: fsGroup: 2000 volumes: - name: task-pv-test-storage persistentVolumeClaim: claimName: task-pv-test-claim containers: - name: demo image: example-image volumeMounts: - name: task-pv-test-storage mountPath: /data/demo
在上面的示例中,存储将以/data/demo2000组ID 挂载,该组ID由设置fsGroup。您需要找出正在使用的用户的组ID。为此,运行容器并键入id并查找gid。
/data/demo
fsGroup
id
gid
要运行容器并获得以下id类型的结果:docker run --rm -it example-image id
docker run --rm -it example-image id
您可以在此处阅读有关Pod安全上下文的更多信息:https : //kubernetes.io/docs/tasks/configure-pod- container/security-context/
