Pod Security Context

belfhi · August 22, 2019, 8:15am

Hello,
we want to use NFS shares for data of Experiments and access this data from
within a Container in the z2jh kubernetes deployment.
Is there currently any way to change the k8s security context so the pod runs as
a UID that matches the UID from the NFS share?
Using security policies
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
would be a great enhancement to z2jh.

manics · August 22, 2019, 5:21pm

You can set the uid and fsGid: https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/2d435d64d4978380f68a1bda185add4376c29272/jupyterhub/values.yaml#L188-L189

belfhi · August 23, 2019, 7:30am

Hello,
yes I am aware of that but could I also set it dynamically? So that every user get a pod which runs under their “real” UID? Then we could very easily allow NFS shares…
cheers,
johannes

manics · August 23, 2019, 1:52pm

If you’re using an image based on the standard Jupyter docker stacks you can start them as root, pass in the UID as an environment variable, and the jupyter user will then have access to their external NFS shares. See this example which uses LDAP, though you can use any authenticator that returns you the UID, the most relevant bit is the pre_spawn_start method:

Topic		Replies	Views
Starting single-user notebook with our custom ldap docker image JupyterHub how-to	9	7430	March 22, 2023
KubeSpawner with external NFS and user as non-root Zero to JupyterHub on Kubernetes	3	784	July 6, 2023
KubeSpawner and LDAPauthentication run under users LDAP UID Zero to JupyterHub on Kubernetes help-wanted	8	3443	May 31, 2023
Z2JH Hot to change NB_UID/NB_GID using authenticator_class? Zero to JupyterHub on Kubernetes	24	1210	March 23, 2024
JupyterHub SwarmSpawner with NFS persisent storage - is this expected to work? JupyterHub how-to , help-wanted	1	1146	June 25, 2021

Pod Security Context

Related topics