Lab 9.3 Create a Persistent Volume Claim - permissions issue

dsfraser

I've just completed this lab and think I get it but I thought I'd try out writing to the hello.txt file pre-created on the volume from a container running on two different nodes. I found that it was not possible to write to the pre-created hello.txt file due to a permissions error.
kubectl exec nginx-nfs-76d96bcdb-s7lpl -c nginx -- /bin/bash -c "echo 'changed by s7lpl' >> /opt/hello.txt" /bin/bash: line 1: /opt/hello.txt: Permission denied
I found however that I could create a file from one of the containers and the write to it from both
kubectl exec nginx-nfs-76d96bcdb-x4thj -c nginx -- /bin/bash -c "echo 'x4thj change' > /opt/s7lplfile.txt" kubectl exec nginx-nfs-76d96bcdb-s7lpl -c nginx -- /bin/bash -c "cat /opt/s7lplfile.txt" x4thj change
Change from other container on other node
kubectl exec nginx-nfs-76d96bcdb-s7lpl -c nginx -- /bin/bash -c "echo 's71pl change' >> /opt/s7lplfile.txt"
File has now been changed by both containers
kubectl exec nginx-nfs-76d96bcdb-s7lpl -c nginx -- /bin/bash -c "cat /opt/s7lplfile.txt" x4thj change s71pl change
NFT exports on CP
lab1cp1:~$ cat /etc/exports /opt/sfw/ *(rw,sync,no_root_squash,subtree_check)

hello file permissions
lab1cp1:~$ ls -l /opt/sfw/hello.txt -rw-rw-rw- 1 samfraser samfraser 32 Sep 18 16:13 /opt/sfw/hello.txt

PV
lab1cp1:~$ kubectl get pv lab1pvvol-1 -o yaml apiVersion: v1 kind: PersistentVolume metadata: annotations: pv.kubernetes.io/bound-by-controller: "yes" creationTimestamp: "2025-09-18T13:18:23Z" finalizers: - kubernetes.io/pv-protection name: lab1pvvol-1 resourceVersion: "781741" uid: 48a9c3e4-2780-4527-99c0-4d667b335b3b spec: accessModes: - ReadWriteMany capacity: storage: 20Mi claimRef: apiVersion: v1 kind: PersistentVolumeClaim name: lab1pvc-one namespace: default resourceVersion: "781739" uid: 88b6ffac-662a-4136-a9b6-bb771a3dd6da nfs: path: /opt/sfw server: lab1cp persistentVolumeReclaimPolicy: Retain volumeMode: Filesystem

PVC
lab1cp1:~$ kubectl get pvc lab1pvc-one -o yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: annotations: pv.kubernetes.io/bind-completed: "yes" pv.kubernetes.io/bound-by-controller: "yes" creationTimestamp: "2025-09-18T13:38:12Z" finalizers: - kubernetes.io/pvc-protection name: lab1pvc-one namespace: default resourceVersion: "781743" uid: 88b6ffac-662a-4136-a9b6-bb771a3dd6da spec: accessModes: - ReadWriteMany resources: requests: storage: 10Mi volumeMode: Filesystem volumeName: lab1pvvol-1

Pod spec (relevant stuff)
spec: volumeMounts: - mountPath: /opt name: nfs-vol securityContext: fsGroup: 1000 volumes: - name: nfs-vol persistentVolumeClaim: claimName: lab1pvc-one

As you can see I've tried to add security Context with the same group as the file on the cp but that didn't make any difference, any ideas?

chrispokorni

Hi @dsfraser,

Did you set the permission on /opt/sfw/ as instructed in step 2 of lab exercise 9.2?

Regards,
-Chris

dsfraser

yes I have
ls -l /opt/
drwxrwxrwt 3 root root 4096 Sep 25 19:54 sfw