fsGroupChangePolicy for Kubernetes Volumes

2 min read | by Jordi Prats

When running a pod as a non-root user, you must specify a fsGroup in the securityContext section so that the volume can be readable and writable by the Pod.

To make this true, each time a volume is mounted, Kubernetes must recursively chown() and chmod() all the files and directories inside the volume. This can be a quite expensive operation (time wise and cost wise). It's can be a major concern if the Volume contains lots of small files.

This operation will prevent the Pod from starting up for what can be a very long time. This is something that will be, for sure, improved by Kubernetes in the future but we can help reduce it's impact by using the fsGroupChangePolicy option.

If we set fsGroupChangePolicy to OnRootMismatch it will only check the root volume, if it already has the permissions set it will skip checking all the other files.

We can take into account that when Kubernetes needs to perform the permission change operation it makes sure the root volume change is applied last so this should prevent half-applied operations to be considered to as applied.

The securityContext with the fsGroupChangePolicy option would look like this:

  runAsUser: 1000
  runAsGroup: 2000
  fsGroup: 3000
  fsGroupChangePolicy: "OnRootMismatch"

Posted on 01/02/2022