IBM Cloud Docs
Why does my File Storage for VPC deployment fail due to a permissions error?

Why does my File Storage for VPC deployment fail due to a permissions error?

Virtual Private Cloud

Your app that uses File Storage for VPC fails with a permissions error.

You created your own storage class to use with an existing file share, but did not specify the correct uid and gid. When a process runs on Unix and Linux, the operating system identifies a user with a user ID (UID) and group with a group ID (GID). These IDs determine which system resources a user or group can access. For example, if the file storage user ID is 12345 and its group ID is 6789, then the mount on the host node and in the container must have those same IDs. The container’s main process must match one or both of those IDs to access the file share.

You can resolve the issue in one of the following ways.

  • If you need your app to run as non-root, create your own storage class with the correct uid and gid that your app needs.

  • If you want to run your app as as root user, edit your deployment to use fsGroup: 0.

Create your own storage class and specify the uid and gid your app needs

If you want to use File Storage for VPC with static provisioning, you must reference the correct uid and gid.

  1. Create a storage class with the correct uid and gid that your app needs.

    apiVersion: storage.k8s.io/v1
    kind: StorageClass
    metadata:
      name: custom-storageclas
    provisioner: vpc.file.csi.ibm.io
    mountOptions:
        - hard
        - nfsvers=4.0
        - sec=sys
    parameters:
      profile: "custom-iops"            # The VPC Storage profile used. /docs/vpc?topic=vpc-block-storage-profiles&interface=ui#tiers-beta
      iops: "400"                       # Default IOPS. User can override from secrets
      billingType: "hourly"             # The default billing policy used. User can override this default
      encrypted: "false"                # By default, all PVC using this class will only be provider managed encrypted. The user can override this default
      encryptionKey: ""                 # If encrypted is true, then a user must specify the encryption key used associated KP instance
      resourceGroup: ""                 # Use resource group if specified here. Otherwise, use the one mentioned in storage-secrete-store
      zone: ""                          # By default, the storage vpc driver will select a zone. The user can override this default
      tags: ""                          # A list of tags "a, b, c" that will be created when the volume is created. This can be overidden by user
      classVersion: "1"
      uid: "1234"                           # The initial user identifier for the file share.
      gid: "5678"                           # The initial group identifier for the file share.
    reclaimPolicy: "Delete"
    allowVolumeExpansion: true
    
  2. Create the customized storage class in your cluster.

    oc apply -f custom-storageclass.yaml
    
  3. Verify that your storage class is available in the cluster.

    oc get sc
    

    Example output

    NAME                                          PROVISIONER
    ibmc-vpc-file-10iops-tier                     vpc.file.csi.ibm.io
    ibmc-vpc-file-3iops-tier                      vpc.file.csi.ibm.io
    ibmc-vpc-file-5iops-tier                      vpc.file.csi.ibm.io
    ibmc-vpc-file-retain-10iops-tier              vpc.file.csi.ibm.io
    ibmc-vpc-file-retain-3iops-tier               vpc.file.csi.ibm.io
    ibmc-vpc-file-retain-5iops-tier               vpc.file.csi.ibm.io
    ibmc-vpc-file-custom                         vpc.file.csi.ibm.io
    
  4. Add filestorage to your app

Edit your app to run as root with fsGroup: 0

  1. Log in to your cluster.

  2. Identify the deployment in your cluster that you want to edit.

    kubectl get deployments
    
  3. Edit the deployment by adding fsGroup: 0 in the securityContext section of your deployment.

    kubectl get deployment -o yaml YOUR-DEPLOYMENT
    
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: <deployment_name>
      labels:
        app: <deployment_label>
    spec:
      securityContext:
        fsGroup: 0
    selector:
        matchLabels:
        app: <app_name>
    template:
        metadata:
        labels:
            app: <app_name>
        spec:
        containers:
        - image: <image_name>
            name: <container_name>
            volumeMounts:
            - name: <volume_name>
            mountPath: /<file_path>
        volumes:
        - name: <volume_name>
            persistentVolumeClaim:
            claimName: PVC-NAME
    
  4. Apply the changes to your deployment.