Files owner in Kubernetes volume

Question

Do you have any recommendation how to approach: https://github.com/istio/istio/issues/22025 ?

Case description

I have a Deployment with two Volumes. Once pods are started, files owner’s from volumes are changed to 1337, which is a user which runs istio-proxy.

So, here is my pod:

apiVersion: v1
kind: Pod
# ...
spec:
  containers:
  - name: my-container
    securityContext:
      runAsUser: 0
    volumeMounts:
    - mountPath: /root/.ssh/id_rsa
      name: git-ssh-key
      readOnly: true
      subPath: id_rsa
    - mountPath: /opt/webhook/log4j2.xml
      name: log4j2-config
      readOnly: true
      subPath: log4j2.xml
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: default-token-v88pp
      readOnly: true
    # ...
  - name: istio-proxy
    image: docker.io/istio/proxyv2:1.5.2
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1337
      runAsNonRoot: true
      runAsUser: 1337
    volumeMounts:
    - mountPath: /var/run/secrets/istio
      name: istiod-ca-cert
    - mountPath: /etc/istio/proxy
      name: istio-envoy
    - mountPath: /var/run/secrets/tokens
      name: istio-token
    - mountPath: /etc/istio/pod
      name: podinfo
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: default-token-v88pp
      readOnly: true
    # ...
  initContainers:
  - command:
    - istio-iptables
    - -p
    - "15001"
    - -z
    - "15006"
    - -u
    - "1337"
    - -m
    - REDIRECT
    - -i
    - '*'
    - -x
    - ""
    - -b
    - '*'
    - -d
    - 15090,15020
    image: docker.io/istio/proxyv2:1.5.2
    imagePullPolicy: IfNotPresent
    name: istio-init
    resources:
      limits:
        cpu: 100m
        memory: 50Mi
      requests:
        cpu: 10m
        memory: 10Mi
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        add:
        - NET_ADMIN
        - NET_RAW
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
      runAsNonRoot: false
      runAsUser: 0
  securityContext:
    fsGroup: 1337

  volumes:
  - configMap:
      defaultMode: 511
      items:
      - key: log4j2.xml
        path: log4j2.xml
      name: my-app
    name: log4j2-config
  - name: git-ssh-key
    secret:
      defaultMode: 448
      items:
      - key: id_rsa
        path: id_rsa
      secretName: my-app
  - name: default-token-v88pp
    secret:
      defaultMode: 420
      secretName: default-token-v88pp
  - emptyDir:
      medium: Memory
    name: istio-envoy
  - downwardAPI:
      defaultMode: 420
      items:
      - fieldRef:
          apiVersion: v1
          fieldPath: metadata.labels
        path: labels
      - fieldRef:
          apiVersion: v1
          fieldPath: metadata.annotations
        path: annotations
    name: podinfo
  - name: istio-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: istio-ca
          expirationSeconds: 43200
          path: istio-token
  - configMap:
      defaultMode: 420
      name: istio-ca-root-cert
    name: istiod-ca-cert
  # ...

And, once it starts file owner in my two volumes are changed from root to 1337:

$ kubectl exec -ti my-pod -c my-container bash
bash-4.3# ls -lha /opt/webhook/log4j2.xml ~/.ssh/id_rsa
-rwxrwxrwx    1 root     1337        9.1K May 13 11:29 /opt/webhook/log4j2.xml
-rwxr-----    1 root     1337        3.3K May 13 11:29 /root/.ssh/id_rsa
1 Like

New to istio. Faced the same issue. because of 1337 group, user app cannot write into it.
Any suggestions?