已装载nfs卷的Kubernetes权限被拒绝_Kubernetes_Persistent Volumes_Persistent Volume Claims

已装载nfs卷的Kubernetes权限被拒绝

kubernetes

已装载nfs卷的Kubernetes权限被拒绝,kubernetes,persistent-volumes,persistent-volume-claims,Kubernetes,Persistent Volumes,Persistent Volume Claims,以下是使用的k8s定义： apiVersion: v1 kind: PersistentVolumeClaim metadata: name: nfs-pv-provisioning-demo labels: demo: nfs-pv-provisioning spec: accessModes: [ "ReadWriteOnce" ] resources: requests: storage: 200Gi --- apiVersion: v1 kin

以下是使用的k8s定义：

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nfs-pv-provisioning-demo
  labels:
    demo: nfs-pv-provisioning
spec:
  accessModes: [ "ReadWriteOnce" ]
  resources:
    requests:
      storage: 200Gi
---
apiVersion: v1
kind: ReplicationController
metadata:
  name: nfs-server
spec:
  securityContext:
    runAsUser: 1000
    fsGroup: 2000
  replicas: 1
  selector:
    role: nfs-server
  template:
    metadata:
      labels:
        role: nfs-server
    spec:
      containers:
      - name: nfs-server
        image: k8s.gcr.io/volume-nfs:0.8
        ports:
          - name: nfs
            containerPort: 2049
          - name: mountd
            containerPort: 20048
          - name: rpcbind
            containerPort: 111
        securityContext:
          privileged: true
        volumeMounts:
          - mountPath: /exports
            name: mypvc
      volumes:
        - name: mypvc
          persistentVolumeClaim:
            claimName: nfs-pv-provisioning-demo
---
kind: Service
apiVersion: v1
metadata:
  name: nfs-server
spec:
  ports:
    - name: nfs
      port: 2049
    - name: mountd
      port: 20048
    - name: rpcbind
      port: 111
  selector:
    role: nfs-server
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: nfs
spec:
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    # FIXME: use the right IP
    server: nfs-server
    path: "/"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nfs
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: ""
  resources:
    requests:
      storage: 1Gi
---
# This mounts the nfs volume claim into /mnt and continuously
# overwrites /mnt/index.html with the time and hostname of the pod.

apiVersion: v1
kind: ReplicationController
metadata:
  name: nfs-busybox
spec:
  securityContext:
    runAsUser: 1000
    fsGroup: 2000
  replicas: 2
  selector:
    name: nfs-busybox
  template:
    metadata:
      labels:
        name: nfs-busybox
    spec:
      containers:
      - image: busybox
        command:
          - sh
          - -c
          - 'while true; do date > /mnt/index.html; hostname >> /mnt/index.html; sleep $(($RANDOM % 5 + 5)); done'
        imagePullPolicy: IfNotPresent
        name: busybox
        volumeMounts:
          # name must match the volume name below
          - name: nfs
            mountPath: "/mnt"
      volumes:
      - name: nfs
        persistentVolumeClaim:
          claimName: nfs

现在nfs busybox中的/mnt目录应该有2000作为gid（根据）。但它仍然有root和root作为用户和组。由于应用程序是以1000/2000运行的，所以它无法在/mnt目录中创建任何日志或数据

chmod可能会解决这个问题，但它看起来像是可以解决的。有什么永久性的解决办法吗

观察结果：若我用其他PVC替代nfs，它的工作状态很好，如中所述。

你们试过这种方法吗？它修复了导出目录的权限：

initContainers:
    - name: volume-mount-hack
      image: busybox
      command: ["sh", "-c", "chmod -R 777 /exports"]
      volumeMounts:
      - name: nfs
        mountPath: /exports

如果您在Linux box上使用独立的NFS服务器，我建议使用无根挤压选项：

/exports*（rw，无根挤压，无子树检查）
要管理nfs服务器上的目录权限，需要更改安全上下文并将其提升到特权模式：

apiVersion: v1 kind: Pod metadata: name: nfs-server labels: role: nfs-server spec: containers: - name: nfs-server image: nfs-server ports: - name: nfs containerPort: 2049 securityContext: privileged: true

您可以先添加一个运行chmod的init容器。很抱歉，这是一条评论（关于Repatition controller已过时），不是答案。chmod真的解决了这个问题吗？