Permission denied on mounted volume even after using initContainers?

Question

I'm running the theia code-editor on my EKS cluster and the image's default user is theia on which I grant read and write permissions on /home/project. However, when I mount that volume /home/project on my EFS and try to read or write on /home/project it returns permission denied I tried using initContainer but still the same problem:

apiVersion: apps/v1
kind: Deployment
metadata:
   name: atouati
spec:
  replicas: 1
  selector:
    matchLabels:
      app: atouati
  template:
    metadata:
      labels:
        app: atouati
    spec:
      initContainers:
      - name: take-data-dir-ownership
        image: alpine:3
        command:
        - chown
        - -R
        - 1001:1001
        - /home/project:cached
        volumeMounts:
        - name: project-volume
          mountPath: /home/project:cached
      containers:
      - name: theia
        image: 'xxxxxxx.dkr.ecr.eu-west-1.amazonaws.com/theia-code-editor:latest'
        ports:
        - containerPort: 3000
        volumeMounts:
        - name: project-volume
          mountPath: "/home/project:cached"   
      volumes:
      - name: project-volume
        persistentVolumeClaim:
          claimName: local-storage-pvc

---

apiVersion: v1
kind: Service
metadata:
  name: atouati
spec:
  type: ClusterIP
  selector:
    app: atouati
  ports:
    - protocol: TCP
      port: 80
      targetPort: 3000

When I do ls -l on /home/project

drwxr-xr-x 2 theia theia  6 Aug 21 17:33 project

On the efs directory :

drwxr-xr-x 4 root root 6144 Aug 21 17:32

How are you writing to the volume? What command? from where? — Rico, Aug 23 '20 at 20:05
The EFS volume on which /home/project is mounted contains a list of projects but they are not visible in /home/project — touati ahmed, Aug 23 '20 at 22:42

score 2 · Answer 1 · answered Aug 23 '20 at 23:42

You can instead set the securityContext in your pod spec to run the Pods as uid/gid 1001.

For example

apiVersion: apps/v1
kind: Deployment
metadata:
   name: atouati
spec:
  replicas: 1
  selector:
    matchLabels:
      app: atouati
  template:
    metadata:
      labels:
        app: atouati
    spec:
      securityContext:
        runAsUser: 1001
        runAsGroup: 1001
        fsGroup: 1001
      containers:
      - name: theia
        image: 'xxxxxxx.dkr.ecr.eu-west-1.amazonaws.com/theia-code-editor:latest'
        ports:
        - containerPort: 3000
        volumeMounts:
        - name: project-volume
          mountPath: "/home/project:cached"   
      volumes:
      - name: project-volume
        persistentVolumeClaim:
          claimName: local-storage-pvc

Have you kubectl execd into the container to confirm that that's the uid/gid that you need to use based on the apparent ownership?

yeah it's 1001 i also tried securitycontext and it didn't work — touati ahmed, Aug 24 '20 at 07:40
have you tried `kubectl exec`ing into the container to look at the ownership and how that relates to `whoami` and the contents of `/etc/passwd` ? — OregonTrail, Aug 25 '20 at 22:15

Permission denied on mounted volume even after using initContainers?

1 Answers1