I have deployed the Kubernetes pod through the deployment file. While checking the logs, all the volumeMount inside the pod are read-only permission which throws an error and the application is not properly working as expected.
command: Kubectl exec -it pod_name -n namespace -- /bin/bash
Trying to do some Linux operations such as chmod, ls, cp, mv is not working and throws with permission denied error.
Ex:
chmod: changing permissions of 'ssl_keycloak_keygen.sh': Read-only file system
writing new private key to '/ssl-certificates/portal-tls.key'
req: Can't open "/ssl-certificates/portal-tls.key" for writing, Permission denied
cp: cannot stat 'xxx.key': No such file or directory
Tried solutions:
- Have tried changing securitycontext fsgroup, runasuser inside deployment file
- Added group member as root inside docker file before building an image
- setenuser 0 in linux machine
Above solution doesnt work, kindly let me know if you have some solutions.
Deployment file Sample:
spec:
volumes:
- name: s1
persistentVolumeClaim:
claimName: s1-pvc-rwx
- name: configmap-volume
configMap:
name: keycloak-config1
defaultMode: 511
containers:
- resources: {}
name: keycloak
env:
- xxxx-- not mentioned
imagePullPolicy: IfNotPresent
volumeMounts:
- name: sslfolder
mountPath: /sslfolder
- name: configmap-volume
mountPath: /opt/jboss/ssl_keycloak_keygen.sh
subPath: ssl_keycloak_keygen.sh
PV:
kind: PersistentVolume
apiVersion: v1
metadata:
name: volume1
labels:
type: ocs
spec:
storageClassName: xxx
capacity:
storage: 3Gi
accessModes:
- ReadWriteMany
hostPath:
path: "/mnt/k8s/vol1"
PVC:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: sslxxx
spec:
accessModes:
- ReadWriteMany
volumeMode: Filesystem
resources:
requests:
storage: 1Gi
storageClassName: xxx
CodePudding user response:
I assume Your PVC is marked as read-only, please paste your PV/PVC definition and verify that you can set it to RW
PersistentVolume
apiVersion: v1
kind: PersistentVolume
metadata:
name: test-volume
spec:
capacity:
storage: 400Gi
accessModes:
- ReadWriteOnce <----------------
PersistentVolumeClaim
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: postgres-pv-claim
labels:
app: postgres
spec:
# in this demo we use GCP so we are using the 'standard' StorageClass
# We can of course define our own StorageClass resource
storageClassName: standard
# The access modes are:
# ReadWriteOnce - The volume can be mounted as read-write by a single node
# ReadWriteMany - The volume can be mounted as read-write by a many node
# ReadOnlyMany - The volume can be mounted as read-only by many nodes
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
CodePudding user response:
From your error message:
req: Can't open "/ssl-certificates/portal-tls.key" for writing, Permission denied
the script is failing to write to /ssl-certificates
But in your pod.spec you're mounting the pvc in a different path
volumeMounts:
- name: sslfolder
mountPath: /sslfolder
So you're trying to write to the wrong location. Try updating either your volumeMount, or the location your script is writing to and this should be fine. PVCs will be mounted read-write by default, unless you add a read-only option in your mount.