I’m trying to run a tomcat container in K8S with a non-root user, to do so I set User ‘tomcat’ with the appropriate permission in Docker Image. I have a startup script that creates a directory in /opt/var/logs (during container startup) and also starts tomcat service.
#steps in Dockerfile
#adding tomcat user and group and permission to /opt directory
addgroup tomcat -g 1001 && \
adduser -D -u 1001 -G tomcat tomcat && \
chown -R tomcat:tomcat /opt
#switch user
User tomcat
The pod runs fine in K8S when deployed using deployment without any volume mapped.
But I get a permission denied error (permission denied: creating directory /opt/var/logs/docker/) from the startup script, which fails to create a directory when I map the deployment with the persistent volume claim, even though I set the fsgroup as explained here, Configure a Security Context for a Pod or Container | Kubernetes.
I have a persistent volume of type hostPath.
The deployment definition is as below.
apiVersion: apps/v1
kind: Deployment
metadata:
name: ms-tomcat
namespace: ms-ns
labels:
app: tomcat
spec:
selector:
matchLabels:
app: tomcat
template:
metadata:
labels:
app: tomcat
spec:
securityContext:
fsGroup: 1001
runAsUser: 1001
runAsGroup: 1001
containers:
- name: tomcat
image: docker-registry.test.com/tomcat:1.2
volumeMounts:
- name: logging-volume
mountPath: /opt/var/logs/docker
imagePullSecrets:
- name: test
volumes:
- name: logging-volume
persistentVolumeClaim:
claimName: nonroot-test-pvc
PVC
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nonroot-test-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
storageClassName: local-node-sc
volumeName: nonroot-test-pv
The only solution I found so far is to run initcontianer with root and provide the permission to the directory from mapped volume but I have got more than 100 services on K8S and adding init containers would slow down everything.
initContainers:
- name: volume-mount-hack
image: busybox
command: ["sh", "-c", "chown -R 501:501 /opt"]
volumeMounts:
- name: logging-volume
mountPath: /opt/var/logs/docker
I also tried setting up mount option in storage class as well as in persistent volume but did not help, ibm cloud - Kubernetes Persistent Volume Claim mounted with wrong gid - Stack Overflow
Any help or suggestion is really appreciated.