SecurityContext problem
erdembas opened this issue · 7 comments
Describe the bug
I am using version 1.2.0 of this csi driver. When any disk is added, it creates the "mount" folder in this disk by giving "root" user privilege. When we use this disk in a pod running with a non-root user, a "Permission denied" error is received. How can I solve this problem?
This is pod ss. This pod securityContext user : 1000
Reproduction steps
I installed the contents with the manifests and got the attached errors.Expected behavior
""
Additional context
No response
The example of the DigitalOcean worked is below.
I am solved this problem. Added CSIDriver spec fsGroupPolicy : File
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: named-disk.csi.cloud-director.vmware.com
spec:
attachRequired: true
podInfoOnMount: false
fsGroupPolicy: FileYes This solves the problem but it creates another one. when two pods need to access the same PVC and they are not scheduled on the same node, one of the nodes fails to mount the volume
Warning FailedMount 13s kubelet MountVolume.MountDevice failed for volume "pvc-db604a6a-5241-494c-a934-94f7d9077010" : rpc error: code = Internal desc = unable to format and mount device [/dev/sdc] at path [/var/lib/kubelet/plugins/[kubernetes.io/csi/pv/pvc-db604a6a-5241-494c-a934-94f7d9077010/globalmount](https://fra01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fkubernetes.io%2Fcsi%2Fpv%2Fpvc-db604a6a-5241-494c-a934-94f7d9077010%2Fglobalmount&data=05%7C01%7C%7C9f8b8e1f8bf044fb64db08da7b6d9ab3%7C06ba9ba160b04c909fe49f3621194d60%7C0%7C0%7C637958007964405507%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nYpjlXFeXg6YFH3dDjfpcJHXmFHQxtDgBN99UMP1%2Fes%3D&reserved=0)] with fs [[rw]] and flags [mount failed: exit status 32 mounting arguments: -t ext4 -o rw,defaults /dev/sdc /var/lib/kubelet/plugins/[kubernetes.io/csi/pv/pvc-db604a6a-5241-494c-a934-94f7d9077010/globalmount](https://fra01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fkubernetes.io%2Fcsi%2Fpv%2Fpvc-db604a6a-5241-494c-a934-94f7d9077010%2Fglobalmount&data=05%7C01%7C%7C9f8b8e1f8bf044fb64db08da7b6d9ab3%7C06ba9ba160b04c909fe49f3621194d60%7C0%7C0%7C637958007964405507%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nYpjlXFeXg6YFH3dDjfpcJHXmFHQxtDgBN99UMP1%2Fes%3D&reserved=0) output: mount: /var/lib/kubelet/plugins/[kubernetes.io/csi/pv/pvc-db604a6a-5241-494c-a934-94f7d9077010/globalmount](https://fra01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fkubernetes.io%2Fcsi%2Fpv%2Fpvc-db604a6a-5241-494c-a934-94f7d9077010%2Fglobalmount&data=05%7C01%7C%7C9f8b8e1f8bf044fb64db08da7b6d9ab3%7C06ba9ba160b04c909fe49f3621194d60%7C0%7C0%7C637958007964405507%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nYpjlXFeXg6YFH3dDjfpcJHXmFHQxtDgBN99UMP1%2Fes%3D&reserved=0): mount(2) system call failed: Structure needs cleaning. ]: [%!!(MISSING)!(MISSING)v(MISSING)]
@Lorislombardi resolved?
@Lorislombardi have you used ReadWriteMany as the access mode? We create a shared disk and allow mounts to multiple VMs only in the ReadWriteMany case.
Hello @autokilla47 @arunmk
After reconfiguring the csidriver with
fsGroupPolicy: ReadWriteOnceWithFSType
VMware support provides the following fix
kubectl apply -f https://gist.githubusercontent.com/arunmk/f0c06b261e1181baf2d17ade1bbcfa4f/raw/051297d21e32eae4748a129d56e183105caa4d84/gistfile1.txt