Mounting NFS Share in Oracle Kubernetes Engine pods using CSI

Recently I have come across an issue while mounting NFS volume into Kubernetes Pods. This issue is applicable to the containers running with non-root users. Since the volume will be mounted with the root user there won’t be an issue for the containers running with the root user. For the Containers running with a non-root user, you will observe a permission denied error

To fix the issue, you can follow the below hack.

Create PersistentVolume:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: fss-static-pv
spec:
  capacity:
    storage: "50Gi"
  volumeMode: Filesystem
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  csi:
    driver: fss.csi.oraclecloud.com
    volumeHandle: <FileSystemOCID:serverIP:path>

replace filesystem OCID, server IP, and Path in the volume handle with actual values.

Create PersistentVolumeClaim

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name:  fss-claim
spec:
  storageClassName: ""
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: "50Gi"
  volumeName: fss-static-pv

Deploy a Pod with PVC claim created above

apiVersion: apps/v1
kind: Deployment
metadata:
  name: app
  labels:
    app.kubernetes.io/name: app
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: app
  template:
    metadata:
      labels:
        app.kubernetes.io/name: app
   spec:
    securityContext:
      runAsUser: 1000
      runAsGroup: 3000
      fsGroup: 2000
    initContainers:
      - name: volume-hack-init
        image: busybox
        command: [ 'sh', '-c', 'chown 1000 /data' ]
        volumeMounts:
          - mountPath: /data
          name: persistent-storage
        securityContext:
          privileged: false
          runAsUser: 0
          runAsNonRoot: false
          readOnlyRootFilesystem: false
          allowPrivilegeEscalation: false
    containers:
      - name: app
        image: busybox
        imagePullPolicy: IfNotPresent
        volumeMounts:
          - mountPath: /data
          name: persistent-storage
     volumes:
       - name: persistent-storage
         persistentVolumeClaim:
           claimName: fss-claim

With this hack, you can change the permissions during the init container process. After this change in the main container, you should be able to create files and directories without any issues.