local-path-provisioner
local-path-provisioner copied to clipboard
rancher
[BUG] Permission denied when deleting pvc
The helper-pods are not able to delete the pv from the disk. We receive the following error message in the logs of the helper-pods:
rm: can't remove '/opt/local-path-provisioner/pvc-47c78805-8957-428d-8996-d10b0517e043': Permission denied
Installation of local-path-provisioner is based on https://github.com/rancher/local-path-provisioner/blob/master/deploy/local-path-storage.yaml. Additionaly we use the following PodSecurityPolicy to allow the execution of local-path-provisioner as root:
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: local-path-provisioner
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: true
allowPrivilegeEscalation: true
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'secret'
- 'downwardAPI'
- 'hostPath'
allowedHostPaths:
- pathPrefix: "/opt/local-path-provisioner"
readOnly: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
Which is also successfully bound to LocalPathProvisioner and the Helper Pods:
---
apiVersion: v1
kind: Pod
metadata:
annotations:
kubernetes.io/psp: local-path-provisioner
name: local-path-provisioner-569fc54756-x9c22
---
apiVersion: v1
kind: Pod
metadata:
annotations:
kubernetes.io/psp: local-path-provisioner
name: helper-pod-delete-pvc-6c12fbab-1d15-44ef-a1cd-80b5a512f7eb
Any help very much appreciated. :)
Used Versions:
kubespray: v0.15.0 kubernetes: v1.19.7 containerd: v1.4.3 local-path-provisioner: v.0.0.19
I could reproduce the same issue with the helm chart from here: https://artifacthub.io/packages/helm/containeroo/local-path-provisioner
Any thoughts on this, somebody?
