Environmental Info:
K3s Version:
k3s version v1.26.4+k3s1 (8d0255a)
go version go1.19.8
Node(s) CPU architecture, OS, and Version:
Linux localhost 5.15.119-flatcar #1 SMP Fri Jul 14 17:48:03 -00 2023 x86_64 AMD Ryzen 5 3600 6-Core Processor AuthenticAMD GNU/Linux
Cluster Configuration:
Single node
Describe the bug:
I created an additional StorageClass, named local-path-retain, which is an exact copy of the pre-installed local-path StorageClass, with one (obvious) difference: reclaimPolicy is set to Retain, where the default for local-path is Delete.
Initially this seemed to work fine, and I can choose between StorageClasses in my PVC's just as expected. However, I noticed that the permissions on the local-path-retain PV's aren't set correctly.
PV's created by local-path are set 777, while local-path-retain PV's are set 755. As a result, I can't run any non-root containers on the local-path-retain PV's as they lack permissions. I tried to fix this with a Pod-level fsGroup SecurityContext but I noticed that LocalPath volumes don't seem to support fsGroup settings at all, so this was no workaround either.
I noticed that local-path-provisioner comes with a ConfigMap that embeds setup/teardown scripts, and that setup script does create new volumes with the right permissions: "mkdir -m 0777 -p ${absolutePath}". Perhaps for the additional StorageClass this config file is ignored (?) I am not quite sure how to debug further from this point. Any suggestions are welcome.
Environmental Info:
K3s Version:
k3s version v1.26.4+k3s1 (8d0255a)
go version go1.19.8
Node(s) CPU architecture, OS, and Version:
Linux localhost 5.15.119-flatcar #1 SMP Fri Jul 14 17:48:03 -00 2023 x86_64 AMD Ryzen 5 3600 6-Core Processor AuthenticAMD GNU/Linux
Cluster Configuration:
Single node
Describe the bug:
I created an additional StorageClass, named local-path-retain, which is an exact copy of the pre-installed local-path StorageClass, with one (obvious) difference: reclaimPolicy is set to Retain, where the default for local-path is Delete.
Initially this seemed to work fine, and I can choose between StorageClasses in my PVC's just as expected. However, I noticed that the permissions on the local-path-retain PV's aren't set correctly.
PV's created by local-path are set 777, while local-path-retain PV's are set 755. As a result, I can't run any non-root containers on the local-path-retain PV's as they lack permissions. I tried to fix this with a Pod-level fsGroup SecurityContext but I noticed that LocalPath volumes don't seem to support fsGroup settings at all, so this was no workaround either.
I noticed that local-path-provisioner comes with a ConfigMap that embeds setup/teardown scripts, and that setup script does create new volumes with the right permissions: "mkdir -m 0777 -p ${absolutePath}". Perhaps for the additional StorageClass this config file is ignored (?) I am not quite sure how to debug further from this point. Any suggestions are welcome.