CRE-2025-0069

Kubernetes fsGroup ignored on NFS volumesMedium

Impact: 6/10

Mitigation: 4/10

CRE-2025-0069View on GitHub

KubernetesNFSsecurityContext

Description

Pods that mount NFS volumes and set `securityContext.fsGroup` still have the directory owned by `root:root`. The kubelet does not chown the share, so non-root containers fail with "Permission denied".

Mitigation

**InitContainer fix-up:** - Add a short privileged initContainer that runs `chown -R 0:<fsGroup> /mount && chmod 0770 /mount` before the workload starts. **Note:** Changing directory mode alone via `FOLDER_PERMISSIONS` is **not** sufficient—the group ownership remains `root`, and writes still fail.)

References

• https://github.com/kubernetes/examples/issues/260
• https://stackoverflow.com/questions/50854701/kubernetes-permission-denied-for-mounted-nfs-volume