我正在 aws eks 1.26 内运行一个 Pod。我需要通过kubectl exec操作挂载 aws efs,如果 POD 未使用特权容器启动,则会失败。
在 aws eks 内运行的容器需要什么权限才能执行mount挂载 aws efs 的命令?
这个配置有效
securityContext:
privileged: true
allowPrivilegeEscalation: true
此配置失败
securityContext:
allowPrivilegeEscalation: false
privileged: false
capabilities:
drop:
- all
add:
- NET_ADMIN
- SYS_ADMIN
我得到以下信息错误:
pod-9cff887c9-cnsk9:~$ mount -t nfs \
-o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport \
fs-IIIIID.efs.us-west-2.amazonaws.com:/ \
~/efs-mount-point
mount: drop permissions failed.
下面是容器的图片
FROM debian:latest
RUN apt update -y && apt install git nano ssh tar binutils \
curl jq lsof make netcat nmap openssh-client rsync strace \
sudo tcpdump telnet vim-nox wget fpart -y
# https://docs.aws.amazon.com/efs/latest/ug/installing-amazon-efs-utils.html
# Here we install EFS utils for mounting whole EFS system (backup restore purposes and etc)https://docs.aws.amazon.com/efs/latest/ug/installing-amazon-efs-utils.html
RUN git clone https://github.com/aws/efs-utils && \
cd efs-utils && \
./build-deb.sh && \
apt-get -y install ./build/amazon-efs-utils*deb
RUN apt-get clean && rm -rf /var/lib/apt/lists/*
RUN groupadd -g 1001 deploy && \
useradd -u 1001 -g 1001 --create-home -s /bin/bash deploy && \
adduser deploy sudo && \
echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
# Add git config
COPY ./docker/.gitconfig /root/.gitconfig
COPY ./docker/.gitconfig /home/deploy/.gitconfig
WORKDIR /home/deploy
USER deploy
这是我的 AWS EFS 信息
