If I have two groups that are not root users that will access a container's directory structure, is there a way to fine tune permissions such that Group 1 can have WRITE permissions on /DIR1, but Group 2 only has READ or even NO ACCESS permissions on /DIR1? Assuming that this /DIR1 is NOT A MOUNTED VOLUME?
Does the answer change if the directory IS a mounted volume?
I am unable to find an absolute answer online, but I think I might be touching on something called a security context, though I can't quite wrap my head around it, so I don't know if I am understanding it correctly as the examples always show a root, and a non-root user. But never two non-root users.
I have considered the following avenues:
In your Dockerfile, create groups/users and set strict permissions:
RUN groupadd group1 && groupadd group2 && \
useradd -g group1 user1 && useradd -g group2 user2 && \
mkdir /DIR1 && \
chown user1:group1 /DIR1 && \ # Owned by user1 and group1
chmod 770 /DIR1 # rwx for owner/group, no access for others
In the pod’s YAML, set the runtime identity:
securityContext:
runAsUser: 1000
runAsGroup: 1000
Use fsGroup to set volume group:
securityContext:
fsGroup: 1000
(if you want to) Use an initContainer to fix permissions:
initContainers:
- name: fix-permissions
image: busybox
command: ["sh", "-c", "chmod 770 /DIR1"]
volumeMounts:
- name: my-volume
mountPath: /DIR1