-1

If I have two groups that are not root users that will access a container's directory structure, is there a way to fine tune permissions such that Group 1 can have WRITE permissions on /DIR1, but Group 2 only has READ or even NO ACCESS permissions on /DIR1? Assuming that this /DIR1 is NOT A MOUNTED VOLUME?

Does the answer change if the directory IS a mounted volume?

I am unable to find an absolute answer online, but I think I might be touching on something called a security context, though I can't quite wrap my head around it, so I don't know if I am understanding it correctly as the examples always show a root, and a non-root user. But never two non-root users.

I have considered the following avenues:

  • RoleBindings, but I am unable to find how I can limit or tweak something like the existing Read-Only role to point to specific directories? It seems to read K8 resources.
  • I cannot completely remove all roles from Group 2 as they will have to access the pods at some point to troubleshoot. Maybe.
  • I know you can chmod / chown in the dockerfile during image build, but.... not sure how this would tie into users that log in and a variety of groups that may need to access the same directory. Like what if Group 1 and Group 3 need access? Can you chown 2 groups? Does it even work like that?
Improve this question
2
  • I'm not the down-voter, but a few tips (commenting since this isn't a programming question). First, users can belong to multiple groups. But at a higher level, what you are doing gets outside of the typical scope of a container (a tool to package, ship, and securely run a single application in an ephemeral environment). For a multi-user persistent environment, you typically want a VM. Commented Feb 26 at 22:03
  • A container normally only runs a single process, and the container's filesystem is hard to access from outside the container, so you often don't need to think too hard about this class of concern. Users don't "log in" to containers, especially in Kubernetes where you'll frequently have multiple copies of a container (Pod) that can be destroyed outside your immediate control. Commented Feb 27 at 11:43

1 Answer 1

Reset to default
0

In your Dockerfile, create groups/users and set strict permissions:

RUN groupadd group1 && groupadd group2 && \
useradd -g group1 user1 && useradd -g group2 user2 && \
mkdir /DIR1 && \
chown user1:group1 /DIR1 && \  # Owned by user1 and group1
chmod 770 /DIR1  # rwx for owner/group, no access for others

In the pod’s YAML, set the runtime identity:

securityContext:
runAsUser: 1000
runAsGroup: 1000

Use fsGroup to set volume group:

securityContext:
fsGroup: 1000

(if you want to) Use an initContainer to fix permissions:

initContainers:
 - name: fix-permissions
   image: busybox
   command: ["sh", "-c", "chmod 770 /DIR1"]
   volumeMounts:
    - name: my-volume
      mountPath: /DIR1
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.