Support to securityContext.fsGroup to override the owner of mounted volumes

Question

Support to securityContext.fsGroup to override the owner of mounted volumes

heitorrbarros opened this issue 3 months ago · comments

Heitor Ricardino Barros commented 3 months ago

Hi there!

I recently attached SSDs for caching purposes and enabled them by mounting the volume at /data/trino/cache. However, upon doing so, I encountered the following exception from Alluxio:

IllegalArgumentException: Cannot write to cache directory /data/trino/cache.

After some investigation, I suspect that I need to specify the fsGroup to 1000 in pod.spec.securityContext. Currently, the chart supports runAsGroup and runAsUser in securityContext:

...
     {{- with .Values.securityContext }}
     securityContext:
        runAsUser: {{ .runAsUser }}
        runAsGroup: {{ .runAsGroup }}
     {{- end }}
...

The volume declared into pod spec:

...
    - name: ebs-cache-volume
      ephemeral:
        volumeClaimTemplate:
          spec:
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: 100Gi
            volumeMode: Filesystem
...

Could you please confirm if adding fsGroup: 1000 to the pod.spec.securityContext would resolve this issue? If not, any guidance on how to properly configure the security context for SSD caching would be greatly appreciated.

Thanks in advance for your help!

Heitor Ricardino Barros · Answer 1 · Tue Apr 16 2024 20:47:46 GMT+0800 (China Standard Time)

PR adding the fsGroup

Catherine Thompson · Answer 2 · Tue May 28 2024 23:36:10 GMT+0800 (China Standard Time)

Would it be worth making the entire podSecurityContext a templated value?