Unable to set fsGroup parameter in a Pod that uses RWX PVC

ssik · August 12, 2024, 6:55pm

Cluster information:

Kubernetes version:

'Client Version: version.Info{Major:“1”, Minor:“22”, GitVersion:“v1.22.0”, GitCommit:“c2b5237ccd9c0f1d600d3072634ca66cefdf272f”, GitTreeState:“clean”, BuildDate:“2021-08-04T18:03:20Z”, GoVersion:“go1.16.6”, Compiler:“gc”, Platform:“darwin/arm64”}
Server Version: version.Info{Major:“1”, Minor:“22”, GitVersion:“v1.22.8”, GitCommit:“7061dbbf75f9f82e8ab21f9be7e8ffcaae8e0d44”, GitTreeState:“clean”, BuildDate:“2022-03-16T14:04:34Z”, GoVersion:“go1.16.15”, Compiler:“gc”, Platform:“linux/amd64”}

Cloud being used: Bare metal
Installation method: Kubespray, on-prem
Host OS: Linux
CNI and version: Calico, Docker image: quay.io/ calico/ node:v3.22.3
CRI and version:

Problem

We are using Trident from NetApp as our storage provide. We were trying to install an application on our cluster through helm installation, and we found out that the fsGroup parameter in the pod Security Context was not being applied due to our PVC having RWX access mode (relevant trident documentation). this is causing a Permission denied error in our container, and the only workaround we have is to run the pod as root user, which we want to avoid. We require RWX mode for the PVC for our use case.

Essentially this is causing one of the directory’s owners to change to root, but the container runs with user 1000. Then, we see ‘Permission denied’ error because the user 1000 does not have permission to execute commands in the directory.

Is there any way we can get around this issue? We have tried adding an initContainer to change the ownership and access of the directory, but I think this gets overwritten in the main container as we’re still seeing the same error.

Environment
Provide accurate information about the environment to help us reproduce the issue.

Trident version: [e.g. 19.10]

$ tridentctl version -n trident
±---------------±---------------+
| SERVER VERSION | CLIENT VERSION |
±---------------±---------------+
| 23.07.0 | 23.07.0 |
±---------------±---------------+

Container runtime:

We are using cloudbees image: https://hub.docker.com/layers/cloudbees/cloudbees-cloud-core-oc/2.452.3.2/images/sha256-d92794c80d0c5281fb0c3195a24934944dec765376cdb8260d0af24fba5d0d6a

Topic		Replies	Views
Write permissions on volume mount with security context fsgroup option General Discussions	6	98699	April 13, 2023
How to ensure NFS PV is mounted with correct uid/gid permissions? General Discussions	0	1288	August 22, 2023
SupplementalGroups not working for NFS volume General Discussions	0	1876	April 17, 2020
fsGroup has different impact on hostPath versus pvc and different impact on nfs versus cifs General Discussions	3	2971	July 28, 2020
[Security Advisory] CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes Announcements	0	1425	November 14, 2023

Unable to set fsGroup parameter in a Pod that uses RWX PVC

Cluster information:

Problem

Related topics