Why does my File Storage for VPC deployment fail due to a permissions error?
Virtual Private Cloud
Your app that uses File Storage for VPC fails with a permissions error.
You created a custom storage class to use with an existing file share, but did not specify the correct uid and gid. When a process runs on Unix and Linux, the operating system identifies a user with a user ID (UID) and
group with a group ID (GID). These IDs determine which system resources a user or group can access. For example, if the file storage user ID is 12345 and its group ID is 6789, then the mount on the host node and in the container must have those
same IDs. The container’s main process must match one or both of those IDs to access the file share.
You can resolve the issue in one of the following ways.
-
If you need your app to run as non-root, create a custom storage class with the correct
uidandgidthat your app needs. -
If you want to run your app as as root user, edit your deployment to use
fsGroup: 0.
Create custom storage class and specify the uid and gid your app needs
If you want to use File Storage for VPC with static provisioning your custom storage class must reference the correct uid and gid.
-
Create a new custom storage class with the correct
uidandgidthat your app needs.apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: custom-storageclas provisioner: vpc.file.csi.ibm.io mountOptions: - hard - nfsvers=4.0 - sec=sys parameters: profile: "custom-iops" # The VPC Storage profile used. /docs/vpc?topic=vpc-block-storage-profiles&interface=ui#tiers-beta iops: "400" # Default IOPS. User can override from secrets billingType: "hourly" # The default billing policy used. User can override this default encrypted: "false" # By default, all PVC using this class will only be provider managed encrypted. The user can override this default encryptionKey: "" # If encrypted is true, then a user must specify the encryption key used associated KP instance resourceGroup: "" # Use resource group if specified here. Otherwise, use the one mentioned in storage-secrete-store zone: "" # By default, the storage vpc driver will select a zone. The user can override this default tags: "" # A list of tags "a, b, c" that will be created when the volume is created. This can be overidden by user classVersion: "1" uid: "1234" # The initial user identifier for the file share. gid: "5678" # The initial group identifier for the file share. reclaimPolicy: "Delete" allowVolumeExpansion: true -
Create the customized storage class in your cluster.
oc apply -f custom-storageclass.yaml -
Verify that your storage class is available in the cluster.
oc get storageclassesExample output
NAME PROVISIONER ibmc-vpc-file-10iops-tier vpc.file.csi.ibm.io ibmc-vpc-file-3iops-tier vpc.file.csi.ibm.io ibmc-vpc-file-5iops-tier vpc.file.csi.ibm.io ibmc-vpc-file-retain-10iops-tier vpc.file.csi.ibm.io ibmc-vpc-file-retain-3iops-tier vpc.file.csi.ibm.io ibmc-vpc-file-retain-5iops-tier vpc.file.csi.ibm.io ibmc-vpc-file-custom vpc.file.csi.ibm.io
Edit your app to run as root with fsGroup: 0
-
Log in to your cluster.
-
Identify the deployment in your cluster that you want to edit.
kubectl get deployments -
Edit the deployment by adding
fsGroup: 0in thesecurityContextsection of your deployment.kubectl get deployment -o yaml YOUR-DEPLOYMENTapiVersion: apps/v1 kind: Deployment metadata: name: <deployment_name> labels: app: <deployment_label> spec: securityContext: fsGroup: 0 selector: matchLabels: app: <app_name> template: metadata: labels: app: <app_name> spec: containers: - image: <image_name> name: <container_name> volumeMounts: - name: <volume_name> mountPath: /<file_path> volumes: - name: <volume_name> persistentVolumeClaim: claimName: PVC-NAME -
Apply the changes to your deployment.