Given a pod running an Nginx container, and a PHP-FPM container, what would be the best practice for the applications document permissions?
At the moment I have a volume shared between the containers so that Nginx has access to the PHP files. This works, but the files are owned by the user www-data in the FPM container, which does not exist in the Nginx container, resulting in them being owned by whichever user has the same UID.
This is obviously wrong, but then what's right? Options I've considered so far:
nobody:nogroupnginx user in that containerNone of these seem appealing.
This is a case for Security Context in kubernetes, where you can specify uid,gid or supplementary gid (fsgroup) for your pods.
For example setting:
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
Will make you progress run as user 1000, with primary group 3000 and supplementary group 2000.
You haven't specified if you need both pods to edit files in that volume, if that's not the case - only adding fsGroup should be enough to give read-only rights (by default) to your files, without affecting your existing workloads in any meaningful way.
Otherwise you can force same UID's, but that might require you to reconfigure your applications
See also: Kubernetes: how to correctly set php-fpm and nginx shared volume permission