Local-path-provisioner doesn't set permissions correctly for additional StorageClass

[eriklogtenberg]

Environmental Info:
K3s Version:
k3s version v1.26.4+k3s1 (8d0255a)
go version go1.19.8

Node(s) CPU architecture, OS, and Version:
Linux localhost 5.15.119-flatcar #1 SMP Fri Jul 14 17:48:03 -00 2023 x86_64 AMD Ryzen 5 3600 6-Core Processor AuthenticAMD GNU/Linux

Cluster Configuration:
Single node

Describe the bug:
I created an additional StorageClass, named local-path-retain, which is an exact copy of the pre-installed local-path StorageClass, with one (obvious) difference: reclaimPolicy is set to Retain, where the default for local-path is Delete.
Initially this seemed to work fine, and I can choose between StorageClasses in my PVC's just as expected. However, I noticed that the permissions on the local-path-retain PV's aren't set correctly.
PV's created by local-path are set 777, while local-path-retain PV's are set 755. As a result, I can't run any non-root containers on the local-path-retain PV's as they lack permissions. I tried to fix this with a Pod-level fsGroup SecurityContext but I noticed that LocalPath volumes don't seem to support fsGroup settings at all, so this was no workaround either.

I noticed that local-path-provisioner comes with a ConfigMap that embeds setup/teardown scripts, and that setup script does create new volumes with the right permissions: "mkdir -m 0777 -p ${absolutePath}". Perhaps for the additional StorageClass this config file is ignored (?) I am not quite sure how to debug further from this point. Any suggestions are welcome.

[brandond]

I created an additional StorageClass, named local-path-retain
I noticed that local-path-provisioner comes with a ConfigMap that embeds setup/teardown scripts

Did you also create a new provisioner deployment for your storageClass, or are you using the same one for both? If you're using the same provisioner, with the same configuration, they should behave identically.

I will also note that local-path-provisioner has its own project at https://github.com/rancher/local-path-provisioner - your question may be better asked there.

[ivanff]

Absolutely the same as the author's 3 years later (

I use the same provisioner as the default local-path.

[ivanff]

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  annotations:
    defaultVolumeType: local
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"storage.k8s.io/v1","kind":"StorageClass","metadata":{"annotations":{"defaultVolumeType":"local"},"name":"local-path-retain"},"provisioner":"rancher.io/local-path","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"}
  creationTimestamp: "2026-02-05T14:01:54Z"
  name: local-path-retain
  resourceVersion: "455023"
  uid: 9a0239b4-a514-4bcf-ac71-8e7f6da71f2e
provisioner: rancher.io/local-path
reclaimPolicy: Retain
volumeBindingMode: WaitForFirstConsumer