如何在Kubernetes中将容器卷(非root用户)挂载到host上的root用户？

Question

当我尝试将应用程序日志卷从容器装载到主机时，收到错误:不允许操作

spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  initContainers:
  - name: volume-mount-permission
    image: xx.xx.xx.xx/orchestration/credit-card
    command:
    - sh
    - -c
    - chown -R 1000:1000 /opt/payara/appserver/glassfish/logs/credit-card
    - chgrp 1000 /opt/payara/appserver/glassfish/logs/credit-card
    volumeMounts:
    - name: card-corp-logs
      mountPath: /opt/payara/appserver/glassfish/logs/credit-card
      readOnly: false

  containers:
  - name: credit-card
    image: xx.xx.xx.xx/orchestration/credit-card
    imagePullPolicy: Always
    securityContext:
      privileged: true
      runAsUser: 1000
    ports:
    - name: credit-card
      containerPort: 8080
    readinessProbe:
      httpGet:
         path: /
         port: 8080
      initialDelaySeconds: 10
      periodSeconds: 5
      successThreshold: 1
    volumeMounts:
    - name: override-setting-storage
      mountPath: /p/config
    - name: credit-card-teamsite
      mountPath: /var/credit-card/teamsite/card_corp

容器路径- /opt/payara/appserver/glassfish/logs/credit-card到hostPath

有没有人可以帮我解决我在部署yml文件中的错误。

Answer 1

  securityContext:
    runAsUser: 1000
    runAsGroup: 3000

表示您无法使用chown 1000:1000，因为该用户不是组 1000的成员

您可能希望以runAsUser: 0身份运行该initContainer:，以便允许它执行任意chown操作

您还截断了本应指定由volumeMounts:挂载的volumes:的YAML --您尝试挂载的卷类型有可能是不能修改的--不管您的readOnly: false声明如何。ConfigMap、Secret、even和其他一堆应用程序接口也不会响应突变请求，即使是root。