• How to set filesystem permissions on Volumes for non-root containers

    3 min read

    kubernetes fsGroup Volume

    As a best practice we should try run containers with the minimum privileges they require: If we want to run a container with a non-root user we need to specify the user we want to use with securityContext.runAsUser (unless the container is not already using a non-privileged user).

    By doing so when working with Volumes we might get a Permission denied while accessing the container

    18/02/2022

    Read more...
  • fsGroupChangePolicy for Kubernetes Volumes

    2 min read

    kubernetes fsGroup Volume fsGroupChangePolicy

    When running a pod as a non-root user, you must specify a fsGroup in the securityContext section so that the volume can be readable and writable by the Pod.

    01/02/2022

    Read more...
  • Expose Pod information using an volume

    2 min read

    kubernetes pod data volume fieldPath

    We can choose to expose some of the Pod's information as volumes or environment variables using DownwardAPIVolumeFile. It can expose both Pod fields and Container fields

    05/01/2022

    Read more...
  • Kubernetes Pod: Share a temporal Volume across containers

    2 min read

    kubernetes volume pod

    If we need to be able to share some data across containers (one generates the data and the other one consumes it) we can use an emptyDir to create a Volume to mount on both containers.

    30/06/2021

    Read more...
  • How kubernetes hides away the volumeMounts complexity

    4 min read

    volumeMounts overlay kubernetes

    If we try compare volumeMounts with the actual mounts that we have on a pod using, for example, df it can be quite confusing due to the usage of the overlay filesystem

    Let's consider the volumeMounts section of a deploy:

    $ kubectl get deploy pet2cattle -o yaml
    (...)
              volumeMounts:
              - mountPath: /opt/pet2cattle/conf
                name: config
              - mountPath: /opt/pet2cattle/data
                name: pet2cattle
                subPath: data
              - mountPath: /opt/pet2cattle/lib
                name: pet2cattle
                subPath: lib
              - mountPath: /tmp
                name: tmp-dir
    (...)
    

    And compare it with the filesystem we see on the pod:

    $ kubectl exec pet2cattle-8475d6697-jbmsm -- df -hP
    Filesystem      Size  Used Avail Use% Mounted on
    overlay         100G  9.7G   91G  10% /
    tmpfs            64M     0   64M   0% /dev
    tmpfs           3.9G     0  3.9G   0% /sys/fs/cgroup
    /dev/xvda1      100G  9.7G   91G  10% /tmp
    shm              64M     0   64M   0% /dev/shm
    /dev/xvdcu       20G  2.5G   18G  13% /opt/pet2cattle/lib
    tmpfs           3.9G   12K  3.9G   1% /run/secrets/kubernetes.io/serviceaccount
    tmpfs           3.9G     0  3.9G   0% /proc/acpi
    tmpfs           3.9G     0  3.9G   0% /proc/scsi
    tmpfs           3.9G     0  3.9G   0% /sys/firmware
    

    13/04/2021

    Read more...

From pet to cattle
Treat your kubernetes clusters like cattle, not pets