I'm trying to access NFS filer protected with Kerberos from my kubernetes pod using keytab file. To achieve this here is what I have done so far.
- Created Dockerfile with Kerberos tools installed in it.
Dockerfile
From centos:7
RUN yum -y install krb5-workstation krb5-libs nfs-utils
docker build -t kerberos-centos:7 .
- created keytab file on my local machine for the principal account that has access to NFS filer.
ktutil: add_entry -password -p PRINCIPAL@KERBEROS_REALM -k 2 -e aes256-cts-hmac-sha1-96
Password for PRINCIPAL@KERBEROS_REALM:
ktutil: write_kt kerberos.keytab
ktutil: quit
After generating the keytab if I do klist I can see the ticket details
Ticket cache: FILE:/tmp/krb5cc_XXXX
Default principal: PRINCIPAL@KERBEROS_REALM
Valid starting Expires Service principal
07/27/23 15:05:28 07/28/23 01:05:28 krbtgt/[email protected]
renew until 07/28/23 11:12:52
- Created kubernetes secret to store the
keytabfile, which will mounted as secret file
kubectl create secret generic kerberos-keytab --from-file=kerberos.keytab
- Created configmap to store the
krb5.conffile, which will mounted as configmap
kubectl create configmap krb5conf --from-file=krb5.conf
- Created PV and PVC
apiVersion: v1
kind: PersistentVolume
metadata:
name: nfs-kerberos
spec:
accessModes:
- ReadWriteMany
capacity:
storage: 1Gi
mountOptions:
- sec=krb5p
nfs:
path: /vol1/somepath/
server: XXXXXXXXXXXX
persistentVolumeReclaimPolicy: Retain
PVC
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kerberos-pvc
namespace: XXXXX
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
storageClassName: ""
- Finally created the pod template file to access the NFS share, with
kinitcommand to obtain the TGT from KDC server. Pod is running with specific user using securityContext which has access to NFS filer.
Here is the pod template
apiVersion: v1
kind: Pod
metadata:
name: kerberos-pod
namespace: xxxxx
spec:
containers:
- image: kerberos-centos:7
imagePullPolicy: Always
name: kerberos-pod
command:
- sh
- -c
- |
kinit -V PRINCIPAL@KERBEROS_REALM -kt /etc/kerberos.keytab;
sleep 300000
volumeMounts:
- name: kerberoskeytab
mountPath: /etc/kerberos.keytab
subPath: kerberos.keytab
- name: krb5conf
mountPath: /etc/krb5.conf
subPath: krb5.conf
- name: nfs
mountPath: /mnt
securityContext:
runAsGroup: XXXXX
runAsUser: XXXXX
imagePullSecrets:
- name: artifactory-identity-token
volumes:
- name: nfs
persistentVolumeClaim:
claimName: kerberos-pvc
- name: kerberoskeytab
secret:
secretName: kerberos-keytab
items:
- key: kerberos.keytab
path: kerberos.keytab
- name: krb5conf
configMap:
name: krb5conf
items:
- key: krb5.conf
path: krb5.conf
The pods starts successfully but when I access the /mnt folder within the pod I get permission denied.
bash-4.2$ cd /mnt/
bash: cd: /mnt/: Permission denied
If I run klist within the pod I can see the TGT details.
Ticket cache: FILE:/tmp/krb5cc_XXXX
Default principal: PRINCIPAL@KERBEROS_REALM
Valid starting Expires Service principal
07/27/23 15:05:28 07/28/23 01:05:28 krbtgt/[email protected]
renew until 07/28/23 11:12:52
But if I login the kubernetes worker node with the principal account than I'm able to access the NFS share within kubernetes pod. But not sure how to access the NFS share using the keytab file.
Please assist.
Thanks in advance!