NFS/hostPath is mounted as root in a pod running non-root user

General Discussions
1

Hello everybody!

I have a problem when I try to mount an NFS shared volume or hostPath into a pod deployed by deployment K8s object.

The volume is mounted as root:root, although inside after to mount, It does have a non-root user perm, but containers user cannot write on it.

Cluster information:

Kubernetes version: 1.21.0
Cloud being used: on-permise
Installation method: kubeadm
Host OS: CentOS 8
CNI and version: 0.8.7
CRI-O and version: 1.21.0
CRI tools: 1.13.0

This is YAML:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: alejandra-fs-0
  annotations:
    pv.beta.kubernetes.io/gid: "1001"
spec:
  capacity:
    storage: 80Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /var/lib/k8s-storage/assets/pcs-dashboard
    server: 10.0.0.20
  persistentVolumeReclaimPolicy: Retain

---

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pcs-dashboard
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi

---


apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: pcs-dashboard 
  name: alejandra-app
  labels:
    app: alejandra-app
  annotations:
    pv.beta.kubernetes.io/gid: "1001"
spec:
  replicas: 1 
  selector:
    matchLabels:
      app: alejandra-app
  template:
    metadata:
      labels:
        app: alejandra-app
    spec:
      securityContext:
        fsGroup: 1001
      nodeSelector:
        node-role.kubernetes.io/worker: worker 
      containers:
        - image: 10.0.0.18:5000/alejandra-dashboard-os-app
          imagePullPolicy: Always
          name: alejandra-app
          volumeMounts:
            - mountPath: /app/var
              name: alejandra-fs-0
          
      volumes:
        - name: alejandra-fs-0
          persistentVolumeClaim:
            claimName: pcs-dashboard

      restartPolicy: Always


bash-4.4$ ls -la
total 116
drwxr-xr-x. 1 alejandra alejandra  4096 Jul  5 13:44 .
dr-xr-xr-x. 1 root   root    4096 Jul  5 13:52 ..
drwx------. 3 alejandra alejandra  4096 Jul  5 13:44 .cache
drwxrwxr-x. 1 alejandra alejandra  4096 Jul  5 13:44 .git
-rw-rw-r--. 1 alejandra alejandra   168 Jun 30 09:18 .gitignore
drwx------. 5 alejandra alejandra  4096 Jul  5 13:44 .local
-rw-rw-r--. 1 alejandra alejandra  5637 Jun 30 09:18 README.md
drwxrwxr-x. 1 alejandra alejandra  4096 Jul  5 13:52 dashboard
drwxr-xr-x. 1 alejandra alejandra  4096 Jul  5 13:44 entrypoints
-rw-rw-r--. 1 alejandra alejandra 10528 Jun 30 09:18 fabfile.py
drwxrwxr-x. 1 alejandra alejandra  4096 Jul  5 13:52 alejandra_dashboard
drwxrwxr-x. 1 alejandra alejandra  4096 Jun 30 09:18 locale
-rwxrwxr-x. 1 alejandra alejandra   548 Jun 30 09:18 manage.py
drwxrwxr-x. 1 alejandra alejandra  4096 Jul  5 13:52 profiles
-rw-rw-r--. 1 alejandra alejandra   424 Jun 30 09:18 requirements.dev.txt
-rw-rw-r--. 1 alejandra alejandra   664 Jun 30 09:18 requirements.txt
drwxrwxr-x. 1 alejandra alejandra  4096 Jul  5 13:52 single_sign_on
drwxr-xr-x. 2 root   root    4096 Jul  1 12:48 var


INSIDE /app/var
total 12
drwxr-xr-x. 2 root   root   4096 Jul  1 12:48 .
drwxr-xr-x. 1 alejandra alejandra 4096 Jul  5 13:44 ..

EXPORTSFS

/var/lib/k8s-storage/databases/pcs-dashboard 10.0.0.13/32(rw,fsid=0,sync,insecure_locks,insecure,no_root_squash)
/var/lib/k8s-storage/assets/pcs-dashboard 10.0.0.13/32(rw,fsid=0,sync,insecure_locks,insecure,no_root_squash)

DIRECTORY IN NFS SERVER
ls -la /var/lib/k8s-storage/assets/pcs-dashboard/
total 8
drwxr-xr-x. 2 alejandra alejandra 4096 Jul  2 13:54 .
drwxr-xr-x. 4 alejandra alejandra 4096 Jul  2 13:54 .
2

Is the container running NFS running as root? Might be able to use initContainers to fix the perms.

This seems similar to this thread and this issue.

3

Nope, the container is running as alejandra’s user. It does have 1001 UID and 1001 GID. The application works ok and Its works and the directory /app/var is set alejandra:alejandra without PVC associated.

When I associate PVC and redeploy the pods, /app/var does change into root:root and 755 perms.

However, when I do ls -la /app/var I got this perms:

total 12
drwxr-xr-x. 2 root   root   4096 Jul  1 12:48 .
drwxr-xr-x. 1 alejandra alejandra 4096 Jul  5 13:44 ..

I don’t know why NFS is mounted as root.