[RHOCP 4.x] Getting Permission denied while using HostPath volume on pod

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform 4.x

Issue

  • Getting Permission denied while using HostPath on a pod, even when the pod starts successfully with no errors.
  • Red Hat CoreOS only allow write access to certain locations such as /mnt, /srv, and /var/mnt. Writing in the root of the / filesystem is not allowed.

Resolution

  • Below is the yaml file example for the above issue.
cat pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
  - image: xxx.xx/xxxx-xx/xxx-xx:v1
    name: examplepod
    ports:
    - containerPort: 8080
    securityContext:     ---> this will allow pod to make changes on the Host directory
      privileged: true
    volumeMounts:
    - mountPath: /mnt
      name: hostpath
  volumes:
    - name: hostpath
      hostPath:
        path: /mnt
[q@upi-0 ]$  oc get pods
NAME       READY   STATUS    RESTARTS   AGE
example   1/1     Running   0          10s

[q@upi-0 ]$  oc exec -it   example  -- sh 
~ $ cd /mnt/
/mnt $ ls
/mnt $ touch file.txt
/mnt $ ls
file.txt
/mnt $ 

Root Cause

  • Pod needs permission to do some modification on the HostPath volume.
  • The permission is given by the parameter 'securityContext'.

Diagnostic Steps

  • The below example did not specify the 'securityContext' and getting Permission denied error.
cat pod.yaml

kind: Pod
metadata:
  name: example
spec:
  containers:
  - image: xxx.xx/xxx-xxx/xxx-xxx:v1
    name: examplepod
    ports:
    - containerPort: 8080
    volumeMounts:
    - mountPath: /mnt
      name: hostpath
  volumes:
    - name: hostpath
      hostPath:
        path: /mnt
[q@upi-0 ]$  oc get pod -o wide
NAME       READY   STATUS    RESTARTS   AGE       IP                   NODE                                                    NOMINATED NODE   READINESS GATES
example   1/1             Running   0                     4m50s   xx.xxx.x.xx   worker-1.xxx.xxx.xxx.xxx.xxx.com   <none>                           <none>

[q@upi-0 ]$  oc get pods
NAME       READY   STATUS    RESTARTS   AGE
example    1/1     Running           0                    104s

[q@upi-0 sanjay]$ oc exec -it   example  -- sh 
~ $ cd /mnt/
/mnt $ ls
ls: can't open '.': Permission denied
/mnt $ ls
ls: can't open '.': Permission denied
/mnt $ touch file.txt
touch: file.txt: Permission denied
/mnt $ 

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments