The PV created by rookceph cannot be written to the mounted pod, but the write permission is given

[ywd1988]

The PV created by rookceph cannot be written to the mounted pod, but the write permission is given

[subhamkrai]

@ywd1988 which pv you are pointing to?

[ywd1988]

@ywd1988你指的是哪个PV？

The PV pod created by rookceph has root privileges but no write privileges

[Madhu-1]

@ywd1988 you need to add securityContext to the pod as i mentioned here ceph/ceph-csi#3342 (comment)

[ywd1988]

@ywd1988你需要将 securityContext 添加到 pod 中，正如我在上面提到的ceph/ceph-csi#3342（评论）
Adding a securityContext still doesn't work, it's normal to not mount the PV pod

[Madhu-1]

@ywd1988你需要将 securityContext 添加到 pod 中，正如我在上面提到的ceph/ceph-csi#3342（评论）
Adding a securityContext still doesn't work, it's normal to not mount the PV pod

Please provide the PVC and Pod yaml you are using , what version of Rook/kubernetes you are using?

[ywd1988]

@ywd1988你需要将 securityContext 添加到 pod 中，正如我在上面提到的ceph/ceph-csi#3342（评论）
添加 securityContext 还是不行，不挂载 PV pod 是正常的

请提供您使用的 PVC 和 Pod yaml ，您使用的 Rook/kubernetes 版本是什么？

kind: Pod
apiVersion: v1
metadata:
name: elk-5cb5bf5649-g2tzx
generateName: elk-5cb5bf5649-
namespace: elk
labels:
app: elk
pod-template-hash: 5cb5bf5649
annotations:
cni.projectcalico.org/containerID: 1a566bfec210e71420ed15d9b2922c299a350934a42063ff6f534482a8f6dfb8
cni.projectcalico.org/podIP: 100.84.100.13/32
cni.projectcalico.org/podIPs: 100.84.100.13/32
kubesphere.io/creator: admin
kubesphere.io/imagepullsecrets: '{}'
kubesphere.io/restartedAt: '2024-04-05T08:13:47.483Z'
logging.kubesphere.io/logsidecar-config: '{}'
spec:
volumes:
- name: volume-cjzk3s
persistentVolumeClaim:
claimName: '8'
- name: kube-api-access-h57w2
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
name: kube-root-ca.crt
items:
- key: ca.crt
path: ca.crt
- downwardAPI:
items:
- path: namespace
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
defaultMode: 420
containers:
- name: container-x4es2a
image: 'docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2'
ports:
- name: tcp-9200
containerPort: 9200
protocol: TCP
- name: tcp-9300
containerPort: 9300
protocol: TCP
resources: {}
volumeMounts:
- name: volume-cjzk3s
mountPath: /usr/share/elasticsearch/data
- name: kube-api-access-h57w2
readOnly: true
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
securityContext: {}
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
serviceAccountName: default
serviceAccount: default
nodeName: ks-master
securityContext: {}
schedulerName: default-scheduler
tolerations:
- key: node.kubernetes.io/not-ready
operator: Exists
effect: NoExecute
tolerationSeconds: 300
- key: node.kubernetes.io/unreachable
operator: Exists
effect: NoExecute
tolerationSeconds: 300
priority: 0
enableServiceLinks: true
preemptionPolicy: PreemptLowerPriority

pvc：kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: '9'
namespace: elk
annotations:
kubesphere.io/creator: admin
pv.kubernetes.io/bind-completed: 'yes'
pv.kubernetes.io/bound-by-controller: 'yes'
volume.beta.kubernetes.io/storage-provisioner: rook-ceph.rbd.csi.ceph.com
volume.kubernetes.io/storage-provisioner: rook-ceph.rbd.csi.ceph.com
finalizers:
- kubernetes.io/pvc-protection
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
volumeName: pvc-75534e32-a098-407c-a27b-aac224e47699
storageClassName: rook-ceph-block
volumeMode: Filesystem
rook:1.13.7 k8s:1.26.12

[Madhu-1]

i dont see anything like below or similar to it in above pod yaml, the securityContext is empty above

apiVersion: v1
kind: Pod
metadata:
  name: csicephfs-demo-pod
spec:
  securityContext:
    fsGroup: 1000
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
  containers:
    - name: web-server
      image: busybox
      command: ["sleep", "60000"]
      volumeMounts:
        - name: mypvc
          mountPath: /var/lib/www/html
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        runAsNonRoot: true

[ywd1988]

fsGroup: 1000
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true

kind: Pod
apiVersion: v1
metadata:
name: elk-869f4748fb-xzkqq
generateName: elk-869f4748fb-
namespace: elk
labels:
app: elk
pod-template-hash: 869f4748fb
annotations:
cni.projectcalico.org/containerID: ca5418d4816b8419794caf4d8efb5c027eb45d552828014b3aa2104c788730c1
cni.projectcalico.org/podIP: 100.84.100.55/32
cni.projectcalico.org/podIPs: 100.84.100.55/32
kubesphere.io/creator: admin
kubesphere.io/imagepullsecrets: '{}'
kubesphere.io/restartedAt: '2024-04-05T08:13:47.483Z'
logging.kubesphere.io/logsidecar-config: '{}'
spec:
volumes:
- name: volume-cjzk3s
persistentVolumeClaim:
claimName: '8'
- name: kube-api-access-jkv29
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
name: kube-root-ca.crt
items:
- key: ca.crt
path: ca.crt
- downwardAPI:
items:
- path: namespace
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
defaultMode: 420
containers:
- name: container-x4es2a
image: 'docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2'
ports:
- name: tcp-9200
containerPort: 9200
protocol: TCP
- name: tcp-9300
containerPort: 9300
protocol: TCP
resources: {}
volumeMounts:
- name: volume-cjzk3s
mountPath: /usr/share/elasticsearch/data
- name: kube-api-access-jkv29
readOnly: true
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
serviceAccountName: default
serviceAccount: default
nodeName: ks-master
securityContext: {}
schedulerName: default-scheduler
tolerations:
- key: node.kubernetes.io/not-ready
operator: Exists
effect: NoExecute
tolerationSeconds: 300
- key: node.kubernetes.io/unreachable
operator: Exists
effect: NoExecute
tolerationSeconds: 300
priority: 0
enableServiceLinks: true
preemptionPolicy: PreemptLowerPriority
This still doesn't work

[Madhu-1]

spec:
  securityContext:
    fsGroup: 1000
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true

Can you add fsGroup at the pod level as well?

[ywd1988]

spec:
  securityContext:
    fsGroup: 1000
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true

Can you add fsGroup at the pod level as well?

Not Supported

[Madhu-1]

spec:
  securityContext:
    fsGroup: 1000
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true

Can you add fsGroup at the pod level as well?

Not Supported

what version of kubernetes and Rook you are using?

[ywd1988]

spec:
  securityContext:
    fsGroup: 1000
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true

Can you add fsGroup at the pod level as well?

Not Supported

what version of kubernetes and Rook you are using?

rook：1.13.7 kubernetes：1.26.12

[Madhu-1]

AFAIK it is supported in kubernetes 1.26 https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod , can you please check

[ywd1988]

AFAIK it is supported in kubernetes 1.26 https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod , can you please check

That could be because my kubesphere 3.4.1 does not support it

[ywd1988]

AFAIK it is supported in kubernetes 1.26 https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod , can you please check

AFAIK it is supported in kubernetes 1.26 https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod , can you please check

I manually set write permissions in the pod, which is also possible