我是 Azure 基础架构的新手,我正在尝试在 AKS 上部署 Jenkins,并且如果容器停止工作并且我在新创建的 PVC 上运行时遇到权限问题,则能够保留我的所有 Jenkins 数据。
我想更改 PVC 中特定文件夹和文件的权限,“chmod”命令看起来正在运行,但没有执行任何操作,并且权限仍然设置为 777,而不是我想要的权限。
我注意到目录和文件的存储类默认权限值为 777,但我需要某些特定文件具有其他权限。
我可以这样做吗?或者还有其他选择吗?
最佳答案
I want to change the permissions for a specific folder and files in the PVC and the "chmod" command looks like running but doesn't do anything and the permissions are still set to 777 instead of my wanted permissions.
如果要在 Kubernetes 中配置权限,则必须使用 security context :
A security context defines privilege and access control settings for a Pod or Container. Security context settings include, but are not limited to:
Discretionary Access Control: Permission to access an object, like a file, is based on user ID (UID) and group ID (GID).
Security Enhanced Linux (SELinux): Objects are assigned security labels.
Running as privileged or unprivileged.
Linux Capabilities: Give a process some privileges, but not all the privileges of the root user.
AppArmor: Use program profiles to restrict the capabilities of individual programs.
Seccomp: Filter a process's system calls.
AllowPrivilegeEscalation: Controls whether a process can gain more privileges than its parent process. This bool directly controls whether the
no_new_privsflag gets set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged OR 2) hasCAP_SYS_ADMIN.readOnlyRootFilesystem: Mounts the container's root filesystem as read-only.
The above bullets are not a complete set of security context settings -- please see SecurityContext for a comprehensive list.
For more information about security mechanisms in Linux, see Overview of Linux Kernel Security Features
在您的情况下,如果您想授予特定对象(例如文件)的权限,您可以使用 Discretionary Access Control :
Containers that run as root frequently have far more permissions than their workload requires which, in case of compromise, could help an attacker further their attack.
Containers still rely on the traditional Unix security model (called discretionary access control or DAC) - everything is a file, and permissions are granted to users and groups.
您还可以configure volume permission and ownership change policy for Pods .
另请参阅:
关于Azure Kubernetes 服务 - 持久卷/持久卷声明更改权限,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/69391743/