我正在尝试创建一个动态Azure磁盘卷,以便在具有特定权限要求的pod中使用。
容器在用户id472
下运行,因此我需要找到一种方法来装载具有(至少(该用户的rw权限的卷。
使用以下StorageClass
定义的
apiVersion: storage.k8s.io/v1
kind: StorageClass
provisioner: kubernetes.io/azure-disk
reclaimPolicy: Delete
volumeBindingMode: Immediate
metadata:
name: foo-storage
mountOptions:
- rw
parameters:
cachingmode: None
kind: Managed
storageaccounttype: Standard_LRS
和这个PVC
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: foo-storage
namespace: foo
spec:
accessModes:
- ReadWriteOnce
storageClassName: foo-storage
resources:
requests:
storage: 1Gi
我可以在吊舱中运行以下内容:
containers:
- image: ubuntu
name: foo
imagePullPolicy: IfNotPresent
command:
- ls
- -l
- /var/lib/foo
volumeMounts:
- name: foo-persistent-storage
mountPath: /var/lib/foo
volumes:
- name: foo-persistent-storage
persistentVolumeClaim:
claimName: foo-storage
吊舱将正确安装和启动,但kubectl logs <the-pod>
将显示
total 24
drwxr-xr-x 3 root root 4096 Nov 23 11:42 .
drwxr-xr-x 1 root root 4096 Nov 13 12:32 ..
drwx------ 2 root root 16384 Nov 23 11:42 lost+found
即当前目录被安装为CCD_ 4所有并且对于所有其他用户是只读的。
我尝试过在StorageClass
中添加一个mountOptions
部分,但无论我尝试什么(uid=472
、user=472
等(,我都会在启动时遇到装载错误,例如
mounting arguments: --description=Kubernetes transient mount for /var/lib/kubelet/plugins/kubernetes.io/azure-disk/mounts/m1019941199 --scope -- mount -t ext4 -o group=472,rw,user=472,defaults /dev/disk/azure/scsi1/lun0 /var/lib/kubelet/plugins/kubernetes.io/azure-disk/mounts/m1019941199
Output: Running scope as unit run-r7165038756bf43e49db934e8968cca8b.scope.
mount: wrong fs type, bad option, bad superblock on /dev/sdc,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so.
我也试着从man mount那里得到一些信息,但我没有找到任何有效的东西。
如何配置此存储类、持久卷声明和卷装载,以便运行容器进程的非root用户能够访问装载路径中的写入(和创建子目录(
您需要像下面这样定义pod规范的securityContext
,以便它匹配新运行的用户和组id:
securityContext:
runAsUser: 472
fsGroup: 472
稳定的格拉法纳头盔图也以同样的方式进行。请参阅此处配置下的securityContext
:https://github.com/helm/charts/tree/master/stable/grafana#configuration