Kubernetes Agent: scriptPod permission errors with runAsNonRoot and CIFS PV #493
Description
We're configuring Pod security according to Kubernetes best practices, specifically ensuring containers run as non-root using securityContext.
We’ve configured our Helm chart as follows:
scriptPods:
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 999
runAsGroup: 999
fsGroup: 999In our scenario, we are using Azure Files storage (CIFS) with mountOptions matching the UID/GID of the container:
apiVersion: storage.k8s.io/v1
kind: StorageClass
provisioner: file.csi.azure.com
reclaimPolicy: Delete
volumeBindingMode: Immediate
metadata:
name: azurefile-csi-octopus
mountOptions:
- mfsymlinks
- actimeo=30
- nosharesock
- uid=999
- gid=999When the task starts, it attempts to unpack Calamari from an archive. Since CIFS does not support changing file ownership or permissions, extraction fails with the following error:
Cannot utime: Operation not permitted
This appears to originate from PackageExtractionOptions.cs
When we try setting dir_mode and file_mode in the mountOptions, we encounter a different error:
chmod: changing permissions of '/octopus/Tools/Calamari.linux-x64/2025.3.338/Calamari': Operation not permitted
That seems to trace back to ExecutableHelper.cs
Do you have any reference configurations or guidance for running tasks on Azure Files (CIFS) storage with non-root scriptPods?
Specifically:
- Are there recommended approaches to handle permission or ownership issues with CIFS?
- Can Calamari’s unpacking behavior be adjusted to avoid changing file permissions when unnecessary?
- Is there a known working configuration for running non-root pods using CIFS volumes?