kubernetesterraformoracle-cloud-infrastructure

Why cant i run this init container as root


I am trying to chown a mounted volume using a init container, because the volume is owned by root. But the init container is unable to become root. This is what i gave in the init container:

 init_container {
   name    = "init-eclipse"
   image   = "busybox:latest"      
   command = [ "chown","-R","1000:1000","/data"]

      security_context {
    run_as_user = "0"
    privileged = "true"
    allow_privilege_escalation = "true"
    read_only_root_filesystem = "false"
    run_as_non_root = "false"
    capabilities {
      add = ["CAP_SYS_ADMIN","CHOWN",
             "FOWNER",
              "DAC_OVERRIDE"]
 
    drop = [
  "ALL"]
    }
  }
   volume_mount {
     mount_path = "/data"
     name       = "home-coder-vol-${data.coder_workspace.me.owner}-${lower(data.coder_workspace.me.name)}"
   } 

}   

I get error like chown /data/.snapshot not permitted. This is inside OKE Cluster on OCI cloud if that matters.

I tried adding some stuff given on IBM Cloud for a similar thing: https://www.ibm.com/docs/en/cam/3.2.1.0?topic=ts-troubleshooting-issues-in-installation-cloud-automation-manager-cloud-private-openshift-cloud

I see a lot of people doing same thing with init container to chown mounted folders, but I cant do it. Why is this happening? Do we need to have any special provision in k8s for this to work?

EDIT So i changed the command to print whoami to a file which i read from the container. It said root. So the INIT container IS running as root, but it cannot chown.


Solution

  • init container is not being given the necessary privileges to chown the mounted volume. In order for the init container to have the necessary permissions, you will need to set the securityContext of the initContainer to runAsUser: 0 and set the allowPrivilegeEscalation to true. Additionally, you will need to add the CHOWN, FOWNER, and DAC_OVERRIDE capabilities to the capabilities.add list and the ALL capability to the capabilities.drop list. Doing this should give the init container the necessary privileges to chown the volume.

    Refer to this init container, blog from kubernetes community forum.