On Wed, Jun 22, 2016 at 12:14 PM, Alan Jones <[email protected]> wrote:
> I have a configuration for a PV/PVC with a block device that works in the > default namespace with the fsGroup tag in the pod spec's securityContext. > I was able to create the pod in a non-default namespace with combination > of 'openshift.io/scc: restricted' and a supplementalGroups tag with the > same value; but this gave the firmilar permission denied error trying to > write to the new directory. > > https://docs.openshift.com/enterprise/3.2/install_config/storage_examples/shared_storage.html > Note, my image is not being built by OpenShift and has a particular user > and group that runs out of the box. > 1) Can you configure persistent block device storage for non-default > projects? > PVs don't care what project they're used with, so yes. Project is not important here, but service account being a member of the right SCC does if you're trying to specify securityContext. > 2) Do you need to build the container image for this configuration? > The container should generally be none the wiser as to how its storage is supplied. > 3) Is support required in the volume driver to interpret > 'supplementalGroups' separate from 'fsGroup'? > (I don't see any reference to 'supplementalGroups' in k8s volume code > where I do see 'fsGroup'.) > Don't know. I think supplementalGroups is an OpenShift addition. Note under: https://docs.openshift.com/enterprise/3.2/install_config/persistent_storage/pod_security_context.html#supplemental-groups "The *supplementalGroups* IDs are typically used for controlling access to shared storage, such as NFS and GlusterFS, whereas fsGroup <https://docs.openshift.com/enterprise/3.2/install_config/persistent_storage/pod_security_context.html#fsgroup> is used for controlling access to block storage, such as Ceph RBD and iSCSI." I don't know if this means supplemental groups are *ignored* for the purposes of block storage... > Thank you! > Alan > > _______________________________________________ > dev mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev > >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
