CRE-2025-0069
Kubernetes fsGroup ignored on NFS volumesMediumImpact: 6/10Mitigation: 4/10
CRE-2025-0069View on GitHub
Description
Pods that mount NFS volumes and set `securityContext.fsGroup` still have the directory owned by `root:root`. The kubelet does not chown the share, so non-root containers fail with \"Permission denied\".\n
Mitigation
**InitContainer fix-up:** - Add a short privileged initContainer that\n runs `chown -R 0:<fsGroup> /mount && chmod 0770 /mount` before the\n workload starts.\n\n**Note:** Changing directory mode alone via `FOLDER_PERMISSIONS` is **not** sufficient—the group ownership remains `root`, and writes still fail.)\n