What is the correct and secure way to run a single instance mongo in kubernetes with Persistent volumes?

154 Views Asked by At

I am trying to deploy a single instance mongodb inside of a kubernetes cluster (RKE2 specifically) on an AWS ec2 instance running Redhat 8.5. I am just trying to use the local file system i.e. no EBS. I am having trouble getting my application to work with persistent volumes so I have a few questions. Below is my pv.yaml

kind: Namespace
apiVersion: v1
metadata:
  name: mongo
  labels:
    name: mongo
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: mongodb-pv
  namespace: mongo
  labels:
    type: local
spec:
  storageClassName: manual
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: "/home/ec2-user/database"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: mongodb-pvc
  namespace: mongo
spec:
  storageClassName: manual
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi

And here is my mongo deployment (I know having the user/password in plain text is not secure but this is for the sake of the example)

apiVersion: v1
kind: Pod
metadata:
  name: mongodb-pod
  namespace: mongo
  labels:
    app.kubernetes.io/name: mongodb-pod
spec:
  containers:
  - name: mongo
    image: mongo:latest
    imagePullPolicy: Always
    ports:
    - containerPort: 27017
      name: mongodb-cp
    env:
    - name: MONGO_INITDB_ROOT_USERNAME
      value: "user"
    - name: MONGO_INITDB_ROOT_PASSWORD
      value: "password"
    volumeMounts:
    - mountPath: /data/db
      name: mongodb-storage
  volumes:
  - name: mongodb-storage
    persistentVolumeClaim:
      claimName: mongodb-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: mongodb
  namespace: mongo
spec:
  selector:
    app.kubernetes.io/name: mongodb-pod
  ports:
  - name: mongodb-cp
    port: 27017
    targetPort: mongodb-cp

When I run the above configuration files, I get the following errors from the mongo pod:

find: '/data/db': Permission denied
chown: changing ownership of '/data/db': Permission denied

I tried creating a mongodb user on the host with a uid and gid of 1001 since that is the process owner inside the mongo container and chowning the hostPath mentioned above but the error persists.

I have tried adding a securityContext block at both the pod and container level like so:

securityContext:
    runAsUser: 1001
    runAsGroup: 1001
    fsGroup: 1001

which does get me further, but I now get the following error:

{"t":{"$date":"2022-06-02T20:32:13.015+00:00"},"s":"E",  "c":"CONTROL",  "id":20557,   "ctx":"initandlisten","msg":"DBException in initAndListen, terminating","attr":{"error":"IllegalOperation: Attempted to create a lock file on a read-only directory: /data/db"}}

and then the pod dies. If I set the container securityContext to privileged

securityContext:
  privileged: true

Everything runs fine. So the two questions are.. is it secure to run a pod as privileged? If not (which is my assumption), what is the correct and secure way to use persistent volumes with the above configurations/example?

0

There are 0 best solutions below