[RHOCP 4.x] Getting Permission denied while using HostPath volume on pod
Environment
- Red Hat OpenShift Container Platform 4.x
Issue
- Getting Permission denied while using HostPath on a pod, even when the pod starts successfully with no errors.
- Red Hat CoreOS only allow write access to certain locations such as /mnt, /srv, and /var/mnt. Writing in the root of the / filesystem is not allowed.
Resolution
- Below is the yaml file example for the above issue.
cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: example
spec:
containers:
- image: xxx.xx/xxxx-xx/xxx-xx:v1
name: examplepod
ports:
- containerPort: 8080
securityContext: ---> this will allow pod to make changes on the Host directory
privileged: true
volumeMounts:
- mountPath: /mnt
name: hostpath
volumes:
- name: hostpath
hostPath:
path: /mnt
[q@upi-0 ]$ oc get pods
NAME READY STATUS RESTARTS AGE
example 1/1 Running 0 10s
[q@upi-0 ]$ oc exec -it example -- sh
~ $ cd /mnt/
/mnt $ ls
/mnt $ touch file.txt
/mnt $ ls
file.txt
/mnt $
Root Cause
- Pod needs permission to do some modification on the HostPath volume.
- The permission is given by the parameter 'securityContext'.
Diagnostic Steps
- The below example did not specify the 'securityContext' and getting Permission denied error.
cat pod.yaml
kind: Pod
metadata:
name: example
spec:
containers:
- image: xxx.xx/xxx-xxx/xxx-xxx:v1
name: examplepod
ports:
- containerPort: 8080
volumeMounts:
- mountPath: /mnt
name: hostpath
volumes:
- name: hostpath
hostPath:
path: /mnt
[q@upi-0 ]$ oc get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
example 1/1 Running 0 4m50s xx.xxx.x.xx worker-1.xxx.xxx.xxx.xxx.xxx.com <none> <none>
[q@upi-0 ]$ oc get pods
NAME READY STATUS RESTARTS AGE
example 1/1 Running 0 104s
[q@upi-0 sanjay]$ oc exec -it example -- sh
~ $ cd /mnt/
/mnt $ ls
ls: can't open '.': Permission denied
/mnt $ ls
ls: can't open '.': Permission denied
/mnt $ touch file.txt
touch: file.txt: Permission denied
/mnt $
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments