问题描述
我正在EKS集群上运行theia代码编辑器,并且图像的默认用户是theia,在该用户上我授予了对/ home / project的读写权限。但是,当我在EFS上安装该卷/ home / project并尝试在/ home / project上进行读写时,它返回的权限被拒绝,我尝试使用initContainer进行操作,但仍然存在相同的问题:
apiVersion: apps/v1
kind: Deployment
metadata:
name: atouati
spec:
replicas: 1
selector:
matchLabels:
app: atouati
template:
metadata:
labels:
app: atouati
spec:
initContainers:
- name: take-data-dir-ownership
image: alpine:3
command:
- chown
- -R
- 1001:1001
- /home/project:cached
volumeMounts:
- name: project-volume
mountPath: /home/project:cached
containers:
- name: theia
image: 'xxxxxxx.dkr.ecr.eu-west-1.amazonaws.com/theia-code-editor:latest'
ports:
- containerPort: 3000
volumeMounts:
- name: project-volume
mountPath: "/home/project:cached"
volumes:
- name: project-volume
persistentVolumeClaim:
claimName: local-storage-pvc
---
apiVersion: v1
kind: Service
metadata:
name: atouati
spec:
type: ClusterIP
selector:
app: atouati
ports:
- protocol: TCP
port: 80
targetPort: 3000
当我在/ home / project上执行ls -l
drwxr-xr-x 2 theia theia 6 Aug 21 17:33 project
在efs目录中:
drwxr-xr-x 4 root root 6144 Aug 21 17:32
解决方法
您可以改为在Pod规范中设置securityContext
,以将Pod作为uid / gid 1001运行。
例如
apiVersion: apps/v1
kind: Deployment
metadata:
name: atouati
spec:
replicas: 1
selector:
matchLabels:
app: atouati
template:
metadata:
labels:
app: atouati
spec:
securityContext:
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
containers:
- name: theia
image: 'xxxxxxx.dkr.ecr.eu-west-1.amazonaws.com/theia-code-editor:latest'
ports:
- containerPort: 3000
volumeMounts:
- name: project-volume
mountPath: "/home/project:cached"
volumes:
- name: project-volume
persistentVolumeClaim:
claimName: local-storage-pvc
您是否kubectl exec
进入容器以根据表观所有权确认您需要使用的uid / gid?