Consul data file permissions

domelz · June 8, 2020, 11:18pm

It looks like the Consul data files are created using 600 permissions. Is there a capability to specify an alternative file permission (e.g. 660)?

domelz · June 10, 2020, 12:39pm

The context for my question is the desire to use kubernetes runAsUser to start Consul with the data files on a persistent volume.

We’d like to be able to change the runAsUser without encountering “permission denied” errors due to file permissions on a system whose securityContext which is not privileged and does not allow privilege escalation.

        securityContext:
          allowPrivilegeEscalation: false
          privileged: false

ashwin-venkatesh · June 17, 2020, 6:50pm

Hey @domelz,

We tried recreating this scenario locally using the consul-helm template and updating the podSpec on the StatefulSet for the Consul Server. We experimented with changing the fsGroup/runAsUser/runAsGroup but were unable to reproduce a scenario where we ran into a “permission denied” situation on the consul data files.

Could you provide us with a config or reproduction steps so that we could recreate this scenario locally and understand it further?

Thanks!

QuanJingHong · June 14, 2021, 11:34pm

apiVersion: apps/v1

kind: Deployment

metadata:

  name: consul-deployment

  namespace: backend

  labels:

    app: consul-service

spec:

  selector:

    matchLabels:

      app: consul-service

  strategy:

    type: RollingUpdate

    rollingUpdate:

      maxSurge: 50%

      maxUnavailable: 0

  template:

    metadata:

      labels:

        app: consul-service

    spec:

      # initContainers:

      #   - name: take-data-dir-ownership

      #     image: alpine:3

      #     command:

      #       - chown

      #       - -R

      #       - 472:472

      #       - /consul/data

      #     volumeMounts:

      #       - name: consul-volume

      #         mountPath: /consul/data

      #     resources:

      #       requests:

      #         cpu: "100m"

      #         memory: "200M"

      #       limits:

      #         cpu: "500m"

      #         memory: "1024M"

      securityContext:

        runAsUser: 10001

        runAsGroup: 10001

        fsGroup: 1234

      containers:

        - name: consul-service

          image: consul

          securityContext:

            allowPrivilegeEscalation: false

            privileged: false

          ports:

            - containerPort: 8500

              name: port1

          resources:

            requests:

              cpu: "100m"

              memory: "200M"

            limits:

              cpu: "500m"

              memory: "1024M"

          volumeMounts:

            - mountPath: /consul/data/

              name: consul-volume

      volumes:

        - name: consul-volume

          persistentVolumeClaim:

            claimName: consul-pvc

---

apiVersion: autoscaling/v2beta1

kind: HorizontalPodAutoscaler

metadata:

  name: hpa-consul

  namespace: backend

spec:

  scaleTargetRef:

    apiVersion: apps/v1

    kind: Deployment

    name: consul-deployment

  minReplicas: 1

  maxReplicas: 2

  metrics:

    - type: Resource

      resource:

        name: cpu

        targetAverageUtilization: 80

---

apiVersion: v1

kind: Service

metadata:

  name: consul-service

  namespace: backend

spec:

  type: NodePort

  ports:

    - port: 8500

      name: port1

      nodePort: 31001

  selector:

    app: consul-service

I’m from google

Topic		Replies	Views
Permission denied mkdir /home/consul Consul	2	512	January 4, 2024
FinServ Proof of Concept - need to enable ACLs on k8s consul image Consul k8s	13	742	September 9, 2020
Rpc error making call: Permission denied Consul	3	7788	August 22, 2020
Service discovery k8s required ACLs Consul	0	383	February 23, 2023
Installing consul chart throwing pod security violations Consul k8s	0	478	April 21, 2023

Consul data file permissions

Related topics