如何解决即使使用initContainers,安装卷上的权限也被拒绝?
我正在EKS集群上运行theia代码编辑器,并且图像的默认用户是theia,在该用户上我授予了对/ home / project的读写权限。但是,当我在EFS上安装该卷/ home / project并尝试在/ home / project上进行读写时,它返回的权限被拒绝,我尝试使用initContainer进行操作,但仍然存在相同的问题:
apiVersion: apps/v1
kind: Deployment
metadata:
name: atouati
spec:
replicas: 1
selector:
matchLabels:
app: atouati
template:
metadata:
labels:
app: atouati
spec:
initContainers:
- name: take-data-dir-ownership
image: alpine:3
command:
- chown
- -R
- 1001:1001
- /home/project:cached
volumeMounts:
- name: project-volume
mountPath: /home/project:cached
containers:
- name: theia
image: 'xxxxxxx.dkr.ecr.eu-west-1.amazonaws.com/theia-code-editor:latest'
ports:
- containerPort: 3000
volumeMounts:
- name: project-volume
mountPath: "/home/project:cached"
volumes:
- name: project-volume
persistentVolumeClaim:
claimName: local-storage-pvc
---
apiVersion: v1
kind: Service
metadata:
name: atouati
spec:
type: ClusterIP
selector:
app: atouati
ports:
- protocol: TCP
port: 80
targetPort: 3000
当我在/ home / project上执行ls -l
drwxr-xr-x 2 theia theia 6 Aug 21 17:33 project
在efs目录中:
drwxr-xr-x 4 root root 6144 Aug 21 17:32
解决方法
您可以改为在Pod规范中设置securityContext
,以将Pod作为uid / gid 1001运行。
例如
apiVersion: apps/v1
kind: Deployment
metadata:
name: atouati
spec:
replicas: 1
selector:
matchLabels:
app: atouati
template:
metadata:
labels:
app: atouati
spec:
securityContext:
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
containers:
- name: theia
image: 'xxxxxxx.dkr.ecr.eu-west-1.amazonaws.com/theia-code-editor:latest'
ports:
- containerPort: 3000
volumeMounts:
- name: project-volume
mountPath: "/home/project:cached"
volumes:
- name: project-volume
persistentVolumeClaim:
claimName: local-storage-pvc
您是否kubectl exec
进入容器以根据表观所有权确认您需要使用的uid / gid?
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。