-1

Under Hyper-v I've create two Ubuntu VMs. The first creates a nfs server for /srv/nfs. /etc/exports /srv/nfs *(rw,sync,no_root_squash) The second can easily mount the nfs file system with this command as root or any user mount -t nfs 192.168.1.40:/srv/nfs /mnt/nfs so nfs server and client works great between the VMs. I start an alpine Kubernetes pod under windows docker, and remote shell into the pod. I can ping 192.168.1.40 fine under 1ms from the pod but the nfs mount command above always says... mount: /mnt/nfs: permission denied. The pod /mnt/nfs directory is present and I did a chmod 777 /mnt/nfs Worked on this for a couple days, but I'm baffled.

I beleive by default pods have complete egress permissions and the ping works fine. What is failing here? The pod is root, so if root works for a VM why doesn't it work for a pod as root? What component in K8s is restricting this from completing?

Robert Crowder
  • 9
  • 3
  • can you give us more details like which kubernetes version you are using and your deployment manifest file or some steps for replicating the issue. – Kranthiveer Dontineni Mar 30 '23 at 10:45
  • Kubernetes deployment is WSL2. I am just trying to connect an Alpine pod to an nfs server, of which I can connect through another VM, as root or any login. All I can come up with is Kubernetes is restricting the egress. Permission denied does tell you much. I am at a loss of what to try next. – Robert Crowder Mar 31 '23 at 09:10
  • I am connecting to the alpine pod with and exec -- sh command. And then trying to mount the nfs server through the shell cmd mentioned above, which fails. My yaml file also fails, but It seems irrelevant, since I can not mount if manually as well. – Robert Crowder Mar 31 '23 at 09:33
  • Hello Robert while the information you provided outlines the process it is not sufficient for replicating the issue. Kindly refer to https://stackoverflow.com/help/how-to-ask for guidelines on asking a question on StackEx. – Kranthiveer Dontineni Mar 31 '23 at 12:27

1 Answers1

0

I was able to mount the NFS server on the VM from WSL2 and K8s pods by adding 'insecure' to the following line in /etc/exports on my NFS server.

/srv/nfs        *(rw,sync,no_subtree_check,insecure)

I believe that the other VM was able to mount it because it used a client port below 1024. I believe that WSL2, and windows Docker/K8s use a client port above 1024 which by default, NFS server will reject if insecure is not allowed.

Additionally *(...) allows any client ip address to connect but you would want to replace * with the ip addresses of your clients to restrict who can connect to the NFS server.

Robert Crowder
  • 9
  • 3