如何设置 NFS 导出的权限,以便在 Kubernetes 上的 SC 和 PVC 中使用它时能够对其进行写入?

如何设置 NFS 导出的权限,以便在 Kubernetes 上的 SC 和 PVC 中使用它时能够对其进行写入?

我在基于 Debian 的发行版 (LMDE) 上部署了 Minikube,并使用nfs-kernel-server.

/srv/nfs-volume1   *(rw,sync,no_subtree_check)

然后,我按照以下说明使用以下命令将 PersistentVolume (PV) 和 PersistentVolumeClaim (PVC) 添加到 Minikube csi-driver-nfshttps://discuss.kubernetes.io/t/use-nfs-for-persistent-volumes/19035

user@laptop1:/srv$ ls -lrt
total 4
drwxrwxrwx 4 nobody nogroup 4096 Aug 31 20:47 nfs-volume1
user@laptop1:/srv$

StorageClass (SC) 和 PVC 的配置如下:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: nfs-vol1
provisioner: nfs.csi.k8s.io
parameters:
  server: 192.168.0.150
  share: /srv/nfs-volume1
reclaimPolicy: Delete
volumeBindingMode: Immediate
mountOptions:
  - hard
  - nfsvers=4.2
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nfs-pvc
spec:
  storageClassName: nfs-vol1
  accessModes: [ReadWriteOnce]
  resources:
    requests:
      storage: 5Gi

然后将 PVC 用于基于 Kubeflow/JupyterLab 的笔记本(取自 Kubeflow UI):

apiVersion: kubeflow.org/v1beta1
kind: Notebook
metadata:
  annotations:
    notebooks.kubeflow.org/server-type: jupyter
  creationTimestamp: '2023-08-31T18:50:02Z'
  generation: 1
  labels:
    app: volume-book
  managedFields:
    - apiVersion: kubeflow.org/v1beta1
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:notebooks.kubeflow.org/server-type: {}
          f:labels:
            .: {}
            f:app: {}
        f:spec:
          .: {}
          f:template:
            .: {}
            f:spec:
              .: {}
              f:containers: {}
              f:serviceAccountName: {}
              f:tolerations: {}
              f:volumes: {}
      manager: OpenAPI-Generator
      operation: Update
      time: '2023-08-31T18:50:02Z'
    - apiVersion: kubeflow.org/v1beta1
      fieldsType: FieldsV1
      fieldsV1:
        f:status:
          .: {}
          f:conditions: {}
          f:containerState:
            .: {}
            f:running:
              .: {}
              f:startedAt: {}
          f:readyReplicas: {}
      manager: manager
      operation: Update
      subresource: status
      time: '2023-08-31T18:50:06Z'
  name: volume-book
  namespace: kubeflow-user-example-com
  resourceVersion: '110625'
  uid: c92ba16b-4b0b-4399-b651-77d7a2eb730f
spec:
  template:
    spec:
      containers:
        - env: []
          image: kubeflownotebookswg/jupyter-pytorch-cuda-full:v1.7.0-rc.0
          imagePullPolicy: IfNotPresent
          name: volume-book
          resources:
            limits:
              cpu: '0.6'
              memory: 1.2Gi
              nvidia.com/gpu: '1'
            requests:
              cpu: '0.5'
              memory: 1Gi
          volumeMounts:
            - mountPath: /dev/shm
              name: dshm
            - mountPath: /home/jovyan/kubeflow-volume
              name: kubeflow-volume
            - mountPath: /home/jovyan
              name: volume-book-volume
      serviceAccountName: default-editor
      tolerations: []
      volumes:
        - emptyDir:
            medium: Memory
          name: dshm
        - name: kubeflow-volume
          persistentVolumeClaim:
            claimName: kubeflow-volume
            readOnly: false
        - name: volume-book-volume
          persistentVolumeClaim:
            claimName: volume-book-volume
status:
  conditions:
    - lastProbeTime: '2023-08-31T18:50:06Z'
      lastTransitionTime: '2023-08-31T18:50:05Z'
      status: 'True'
      type: Initialized
    - lastProbeTime: '2023-08-31T18:50:06Z'
      lastTransitionTime: '2023-08-31T18:50:06Z'
      status: 'True'
      type: Ready
    - lastProbeTime: '2023-08-31T18:50:06Z'
      lastTransitionTime: '2023-08-31T18:50:06Z'
      status: 'True'
      type: ContainersReady
    - lastProbeTime: '2023-08-31T18:50:06Z'
      lastTransitionTime: '2023-08-31T18:50:03Z'
      status: 'True'
      type: PodScheduled
  containerState:
    running:
      startedAt: '2023-08-31T18:50:05Z'
  readyReplicas: 1

但是,当我想在卷上写入时,会引发以下错误:

 [I 2023-08-31 20:44:03.073 ServerApp] Creating new file in /kubeflow-volume 
 [W 2023-08-31 20:44:03.074 ServerApp] 403 POST /notebook/kubeflow-user-example-com/volume-book/api/contents/kubeflow-volume?1693514643048 (127.0.0.6): Permission denied: kubeflow-volume/untitled.txt 
 [W 2023-08-31 20:44:03.075 ServerApp] wrote error: 'Permission denied: kubeflow-volume/untitled.txt' 

文件系统上的卷如下所示:

user@laptop1:/srv/nfs-volume1$ ll -d pvc-4a07985a-0207-41cc-8d2f-dec8ffbad3d7 
drwxrwsr-x 2 nobody nogroup 4096 Aug 31 20:47 pvc-4a07985a-0207-41cc-8d2f-dec8ffbad3d7

所有权取自 nfs 导出目录,但权限则不然。

如何设置权限以便能够在多个笔记本/Pod 中使用 NFS 存储类?

相关内容