Lab 9.3 Create a Persistent Volume Claim - permissions issue

dsfraser

I've just completed this lab and think I get it but I thought I'd try out writing to the hello.txt file pre-created on the volume from a container running on two different nodes. I found that it was not possible to write to the pre-created hello.txt file due to a permissions error.
kubectl exec nginx-nfs-76d96bcdb-s7lpl -c nginx -- /bin/bash -c "echo 'changed by s7lpl' >> /opt/hello.txt" /bin/bash: line 1: /opt/hello.txt: Permission denied
I found however that I could create a file from one of the containers and the write to it from both
kubectl exec nginx-nfs-76d96bcdb-x4thj -c nginx -- /bin/bash -c "echo 'x4thj change' > /opt/s7lplfile.txt" kubectl exec nginx-nfs-76d96bcdb-s7lpl -c nginx -- /bin/bash -c "cat /opt/s7lplfile.txt" x4thj change
Change from other container on other node
kubectl exec nginx-nfs-76d96bcdb-s7lpl -c nginx -- /bin/bash -c "echo 's71pl change' >> /opt/s7lplfile.txt"
File has now been changed by both containers
kubectl exec nginx-nfs-76d96bcdb-s7lpl -c nginx -- /bin/bash -c "cat /opt/s7lplfile.txt" x4thj change s71pl change
NFT exports on CP
lab1cp1:~$ cat /etc/exports /opt/sfw/ *(rw,sync,no_root_squash,subtree_check)

hello file permissions
lab1cp1:~$ ls -l /opt/sfw/hello.txt -rw-rw-rw- 1 samfraser samfraser 32 Sep 18 16:13 /opt/sfw/hello.txt

PV
lab1cp1:~$ kubectl get pv lab1pvvol-1 -o yaml apiVersion: v1 kind: PersistentVolume metadata: annotations: pv.kubernetes.io/bound-by-controller: "yes" creationTimestamp: "2025-09-18T13:18:23Z" finalizers: - kubernetes.io/pv-protection name: lab1pvvol-1 resourceVersion: "781741" uid: 48a9c3e4-2780-4527-99c0-4d667b335b3b spec: accessModes: - ReadWriteMany capacity: storage: 20Mi claimRef: apiVersion: v1 kind: PersistentVolumeClaim name: lab1pvc-one namespace: default resourceVersion: "781739" uid: 88b6ffac-662a-4136-a9b6-bb771a3dd6da nfs: path: /opt/sfw server: lab1cp persistentVolumeReclaimPolicy: Retain volumeMode: Filesystem

PVC
lab1cp1:~$ kubectl get pvc lab1pvc-one -o yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: annotations: pv.kubernetes.io/bind-completed: "yes" pv.kubernetes.io/bound-by-controller: "yes" creationTimestamp: "2025-09-18T13:38:12Z" finalizers: - kubernetes.io/pvc-protection name: lab1pvc-one namespace: default resourceVersion: "781743" uid: 88b6ffac-662a-4136-a9b6-bb771a3dd6da spec: accessModes: - ReadWriteMany resources: requests: storage: 10Mi volumeMode: Filesystem volumeName: lab1pvvol-1

Pod spec (relevant stuff)
spec: volumeMounts: - mountPath: /opt name: nfs-vol securityContext: fsGroup: 1000 volumes: - name: nfs-vol persistentVolumeClaim: claimName: lab1pvc-one

As you can see I've tried to add security Context with the same group as the file on the cp but that didn't make any difference, any ideas?

chrispokorni

Hi @dsfraser,

Did you set the permission on /opt/sfw/ as instructed in step 2 of lab exercise 9.2?

Regards,
-Chris

dsfraser

yes I have
ls -l /opt/
drwxrwxrwt 3 root root 4096 Sep 25 19:54 sfw

chrispokorni

Hi @dsfraser,

I just went through the exercise and I was not able to reproduce the issue.

I used the hello.txt file created as instructed in step 2 of lab 9.2 and a new.txt file created by one of the pods. They both have the same permissions and each echo attempt succeeds from either one of the pod replicas of the nginx-nfs deployment.

Permissions of /opt/sfw:

student@cp:~$ ls -la /opt/
drwxrwxrwt  2 root root 4096 Oct 10 17:12 sfw/

Permissions of the 2 files in /opt/sfw verified from the cp node:

student@cp:~$ ls -la /opt/sfw/
-rw-r--r-- 1 root root    9 Oct 10 17:14 hello.txt
-rw-r--r-- 1 root root   34 Oct 10 18:38 new.txt

Permissions of the 2 files verified from one of the nginx-nfs pod replicas:

student@cp:~$ kubectl exec nginx-nfs-59d684b459-cmb6h -- /bin/bash -c "ls -la /opt"
-rw-r--r-- 1 root root   29 Oct 10 18:25 hello.txt
-rw-r--r-- 1 root root   48 Oct 10 18:41 new.txt

Are there any permission restrictions in your manifest?

Regards,
-Chris