Kubernetes - statefulSet and volume permissions

Question

I am trying to create statefulSet like below where I run init container apply permissions to volume data before I use it in the main container but I get permissions error as below

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: postgresql
spec:
  serviceName: postgresql-headless
  replicas: 1
  selector:
    matchLabels:
      app: awx
  template:
    metadata:
      name: postgresql
      labels:
        app: awx
    spec:
      securityContext:
        fsGroup: 1001
      serviceAccountName: awx
      initContainers:
      - name: init-chmod-data
        image: docker.local/data/awx/bitnami/minideb/minideb:1.0
        command: 
          - /bin/sh
          - -cx
          - |
            echo "current user id: `id`"
            mkdir -p /bitnami/postgresql/data
            chmod 700 /bitnami/postgresql/data
            find /bitnami/postgresql/data -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \
                xargs chown -R 1001:1001
        securityContext:
          runAsUser: 1001
        volumeMounts:
          - name: data
            mountPath: /bitnami/postgresql/data
            subPath: ""
      containers: 
        - name: postgresql
          image: docker.local/bitnami/postgresql:11.6.0-debian-10-r5 
          securityContext:
            runAsUser: 1001
          env:
            - name: POSTGRESQL_PASSWORD
              value: "p@ssw0rd"
          volumeMounts:
            - name: data
              mountPath: /bitnami/postgresql/data
              subPath: ""        

  volumeClaimTemplates:
    - metadata:
        name: data
      spec:
        accessModes: 
          - ReadWriteOnce
        resources:
          requests:
            storage: 5Gi
        storageClassName: cinder

When I run this spec, it fails on init container :

 kubectl -n mynamespace logs postgresql-0 -c init-chmod-data
+ id
current user id: uid=1001(postgresql) gid=1001(postgresql) groups=1001(postgresql)
+ echo current user id: uid=1001(postgresql) gid=1001(postgresql) groups=1001(postgresql)
+ mkdir -p /bitnami/postgresql/data
+ chmod 700 /bitnami/postgresql/data
chmod: changing permissions of '/bitnami/postgresql/data': Operation not permitted

However when I run the image used in init container locally in docker, I am able to change these permissions:

sudo docker image ls | grep 1.0 | grep minideb
docker.local/data/awx/bitnami/minideb/minideb        1.0                        698636b178a6        2 hours ago         53.7MB
sudo docker run -it  --name minideb 698636b178a6
postgresql@248dcad0e738:/$ mkdir -p /bitnami/postgresql/data
postgresql@248dcad0e738:/$ chmod 700 /bitnami/postgresql/data
postgresql@248dcad0e738:/$

The minideb image has been modified like below because I can't run containers as root:

FROM docker.local/bitnami/minideb:stretch
USER 0
RUN groupadd --gid 1001 postgresql && useradd --uid 1001 --gid 1001 postgresql
RUN mkdir -p /bitnami/postgresql ; chown -R 1001:1001 /bitnami/postgresql
USER 1001

Any idea what I am doing wrong? Thank you!

score 0 · Answer 1 · answered May 13 '20 at 16:56

0

fixed after removing stale pvc

answered May 13 '20 at 16:56

Sergei

387
1
6
16

Kubernetes - statefulSet and volume permissions

1 Answers1