• How to set filesystem permissions on Volumes for non-root containers

    3 min read

    kubernetes fsGroup Volume

    As a best practice we should try run containers with the minimum privileges they require: If we want to run a container with a non-root user we need to specify the user we want to use with securityContext.runAsUser (unless the container is not already using a non-privileged user).

    By doing so when working with Volumes we might get a Permission denied while accessing the container

    18/02/2022

    Read more...

  • fsGroupChangePolicy for Kubernetes Volumes

    2 min read

    kubernetes fsGroup Volume fsGroupChangePolicy

    When running a pod as a non-root user, you must specify a fsGroup in the securityContext section so that the volume can be readable and writable by the Pod.

    01/02/2022

    Read more...

  • Expose Pod information using an volume

    2 min read

    kubernetes pod data volume fieldPath

    We can choose to expose some of the Pod's information as volumes or environment variables using DownwardAPIVolumeFile. It can expose both Pod fields and Container fields

    05/01/2022

    Read more...

  • Kubernetes Pod: Share a temporal Volume across containers

    2 min read

    kubernetes volume pod

    If we need to be able to share some data across containers (one generates the data and the other one consumes it) we can use an emptyDir to create a Volume to mount on both containers.

    30/06/2021

    Read more...

  • How kubernetes hides away the volumeMounts complexity

    4 min read

    volumeMounts overlay kubernetes

    If we try compare volumeMounts with the actual mounts that we have on a pod using, for example, df it can be quite confusing due to the usage of the overlay filesystem

    Let's consider the volumeMounts section of a deploy:

    $ kubectl get deploy pet2cattle -o yaml (...)  volumeMounts:  - mountPath: /opt/pet2cattle/conf  name: config  - mountPath: /opt/pet2cattle/data  name: pet2cattle  subPath: data  - mountPath: /opt/pet2cattle/lib  name: pet2cattle  subPath: lib  - mountPath: /tmp  name: tmp-dir (...)

    And compare it with the filesystem we see on the pod:

    $ kubectl exec pet2cattle-8475d6697-jbmsm -- df -hP Filesystem Size Used Avail Use% Mounted on overlay 100G 9.7G 91G 10% / tmpfs 64M 0 64M 0% /dev tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup /dev/xvda1 100G 9.7G 91G 10% /tmp shm 64M 0 64M 0% /dev/shm /dev/xvdcu 20G 2.5G 18G 13% /opt/pet2cattle/lib tmpfs 3.9G 12K 3.9G 1% /run/secrets/kubernetes.io/serviceaccount tmpfs 3.9G 0 3.9G 0% /proc/acpi tmpfs 3.9G 0 3.9G 0% /proc/scsi tmpfs 3.9G 0 3.9G 0% /sys/firmware

    13/04/2021

    Read more...

From pet to cattle
Treat your kubernetes clusters like cattle, not pets