部署在Google容器引擎中的非root用户的Docker容器无法写入已安装的GCE Persistent磁盘

我正在玩kubernetes和谷歌容器引擎(GKE).

我从这个图像jupyter/all-spark-notebook部署了一个容器

这是我的复制控制器:

{
  "apiVersion": "v1",
  "kind": "ReplicationController",
  "metadata": {
    "name": "datalab-notebook"
  },
  "spec": {
    "replicas": 1,
    "selector": {
      "app": "datalab-notebook"
    },
    "template": {
      "metadata": {
        "name": "datalab-notebook",
        "labels": {
          "environment": "TEST",
          "app": "datalab-notebook"
        }
      },
      "spec": {
        "containers": [{
          "name": "datalab-notebook-container",
          "image": "jupyter/all-spark-notebook",
          "env": [],
          "ports": [{
            "containerPort": 8888,
            "name": "datalab-port"
          }],
          "volumeMounts": [{
            "name": "datalab-notebook-persistent-storage",
            "mountPath": "/home/jovyan/work"
          }]
        }],
        "volumes": [{
          "name": "datalab-notebook-persistent-storage",
          "gcePersistentDisk": {
            "pdName": "datalab-notebook-disk",
            "fsType": "ext4"
          }
        }]
      }
    }

  }
}

如您所见,我安装了Google Compute Engine永久磁盘.我的问题是容器使用非root用户,而挂载的磁盘由root拥有.所以我的容器无法写入磁盘.

有没有办法挂载GCE持久磁盘并使它们对没有非root用户的容器进行读/写？

另一个一般性问题:在Google容器引擎中使用root用户运行容器是否安全？

提前感谢您的意见

1> Paul Morie..：

---

您可以使用pod的安全上下文的FSGroup字段来使非root用户可以写入GCE PD.

在此示例中,gce卷将由组1234拥有,容器进程将在其补充组列表中具有1234:

apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  securityContext:
    fsGroup: 1234
  containers:
  - image: gcr.io/google_containers/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /test-pd
      name: test-volume
  volumes:
  - name: test-volume
    # This GCE PD must already exist.
    gcePersistentDisk:
      pdName: my-data-disk
      fsType: ext4

---

@PaulMorie我试图使用`fsGroup`和`supplementalGroups`失败,例如`Error creating:pods""是禁止的:SecurityContext.FSGroup是禁止的.CoreOS,Docker 1.10.3,Kube 1.2.2.显而易见的我错过了什么？