I'm setting up a small Kubernetes cluster that will use an existing NFS server with data owned by different users. My goal is to allow access to the NFS server from inside the Kubernetes pods as well as from servers outside the cluster. Essentially, I want users to be able to mount an NFS volume in a pod, read and write to it, and then have access from another server outside the cluster later on.
I'm really struggling with permissions since the UIDs on the NFS server don't match those in the pods. Initially, I tried using Docker images with a predefined non-root user, but that resulted in all the NFS data being owned by that same user, which doesn't map to any UID on the system. I could create a user on the hosts for it, but that just complicates access control even more because all the data is seen as owned by one entity, even though it originates from different users.
I also looked into Kubernetes security contexts and tried changing the runAsUser for different pods, but this caused permission denied errors for most directories in the images. What options do I have to make this work? Is it even feasible? Thanks!
2 Answers
Thanks for the response! My use case is more straightforward. I'm creating development workspaces. I want users to provision their own pods in the cluster and access them through their IDEs. They need the flexibility to manipulate their files, whether they are datasets or other resources, as long as they have the necessary permissions.
Absolutely, you can achieve access to NFS files both from K8S pods and other servers. However, dealing with permissions can be tricky. Instead of focusing on individual user UIDs, consider using group IDs that are consistent across your setup. Ensure that your group permissions allow for the necessary access, but keep in mind that this can become fragile.
Also, what exactly are you trying to achieve with this setup? Typically, application pods have specific data formats, and allowing random users to mount NFS could create chaos. If your NFS holds regular files, what kind of pods are using that data? A data pipeline should probably limit manual manipulation. To tailor advice better, sharing your specific use case would help!
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux