I’m trying to run a tomcat container in K8S with a non-root user, to do so I set User ‘tomcat’ with the appropriate permission in Docker Image. I have a startup script that creates a directory in /opt/var/logs (during container startup) and also starts tomcat service.
#steps in Dockerfile #adding tomcat user and group and permission to /opt directory addgroup tomcat -g 1001 && \ adduser -D -u 1001 -G tomcat tomcat && \ chown -R tomcat:tomcat /opt #switch user User tomcat
The pod runs fine in K8S when deployed using deployment without any volume mapped.
But I get a permission denied error (permission denied: creating directory /opt/var/logs/docker/) from the startup script, which fails to create a directory when I map the deployment with the persistent volume claim, even though I set the fsgroup as explained here, Configure a Security Context for a Pod or Container | Kubernetes.
I have a persistent volume of type hostPath.
The deployment definition is as below.
apiVersion: apps/v1 kind: Deployment metadata: name: ms-tomcat namespace: ms-ns labels: app: tomcat spec: selector: matchLabels: app: tomcat template: metadata: labels: app: tomcat spec: securityContext: fsGroup: 1001 runAsUser: 1001 runAsGroup: 1001 containers: - name: tomcat image: docker-registry.test.com/tomcat:1.2 volumeMounts: - name: logging-volume mountPath: /opt/var/logs/docker imagePullSecrets: - name: test volumes: - name: logging-volume persistentVolumeClaim: claimName: nonroot-test-pvc
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: nonroot-test-pvc spec: accessModes: - ReadWriteOnce resources: requests: storage: 2Gi storageClassName: local-node-sc volumeName: nonroot-test-pv
The only solution I found so far is to run initcontianer with root and provide the permission to the directory from mapped volume but I have got more than 100 services on K8S and adding init containers would slow down everything.
initContainers: - name: volume-mount-hack image: busybox command: ["sh", "-c", "chown -R 501:501 /opt"] volumeMounts: - name: logging-volume mountPath: /opt/var/logs/docker
I also tried setting up mount option in storage class as well as in persistent volume but did not help, ibm cloud - Kubernetes Persistent Volume Claim mounted with wrong gid - Stack Overflow
Any help or suggestion is really appreciated.