I have a PD that is shared between two Kubernetes services. Once service runs a server application inside a container currently as root (I will probably change this to, say, user1), the other service runs Docker's Postgres image as postgres. I would like to make sure that both root (eventually user1) and postgres have read-write access to certain directories below the PD's mount point, for instance postgres should "own" the directory /mnt/disk/my-pd/pgdata.
Can this be configured on the level of a Kubernetes spec? If not and if I have to configure it manually "outside", can I make assumptions about how UIDs and GIDs relate to each other throughout the cluster, i.e. does Kubernetes (or do standard Docker images such as postgres) include some kind of directory service that would keep the UID e.g. for postgres in sync throughout the cluster?
Here is the Postgres-related portion of my spec in its current form:
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: postgres-deployment
spec:
template:
metadata:
labels:
app: postgres-app
spec:
containers:
- name: postgres-container
image: postgres
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: my-secret
key: postgres-password.txt
- name: PGDATA
value: /mnt/disk/my-pd/pgdata
- name: POSTGRES_DB
value: mydb
ports:
- protocol: TCP
containerPort: 5432
volumeMounts:
- name: my-volume
mountPath: /mnt/disk/my-pd
volumes:
- name: my-volume
gcePersistentDisk:
pdName: my-pd
fsType: ext4
The solution consisted of specifying a security context that references GID 999 (appended to the original spec):
The Dockerfile for the official
postgresDocker image explicitly sets GID 999.