CRE-2025-0069

Kubernetes fsGroup ignored on NFS volumesMedium

Impact: 6/10

Mitigation: 4/10

CRE-2025-0069View on GitHub

KubernetesNFSsecurityContext

Description

Pods that mount NFS volumes and set `securityContext.fsGroup` still have the directory owned by `root:root`. The kubelet does not chown the share, so non-root containers fail with "Permission denied".

Cause

The kubelet applies `fsGroup` after the NFS mount; NFS preserves server-side UID/GID. Ownership therefore remains `root:root`.

Mitigation

InitContainer fix-up: - Add a short privileged initContainer that

runs `chown -R 0:<fsGroup> /mount && chmod 0770 /mount` before the

workload starts.

Note: Changing directory mode alone via `FOLDER_PERMISSIONS` is not sufficient—the group ownership remains `root`, and writes still fail.)

References

• https://github.com/kubernetes/examples/issues/260
• https://stackoverflow.com/questions/50854701/kubernetes-permission-denied-for-mounted-nfs-volume