[New Rule] Bounty: Reproduce Kubernetes fsGroup Ignored for NFS Volumes & Provide a Detection Rule

[Lyndon-prequel]

Description

In Kubernetes, fsGroup in a Pod’s securityContext is designed to ensure that mounted volumes are accessible by setting group ownership. However, this doesn’t apply to NFS-mounted volumes, leading to silent permission failures.

Despite being a long-standing issue, it's still frequently encountered. We'd like a reproducible test case and a rule-based method for detecting when this issue occurs in real-world clusters.

To complete this bounty, you must:

1. Reproduce the Issue
2. Provide a minimal, working example that shows how fsGroup fails to apply to an NFS volume.

The example should clearly demonstrate that:

• fsGroup is set.
• The Pod fails due to file permission issues when writing to the NFS mount.

3. Provide a Detection Rule

A reliable detection rule, following the CRE format, that can be used by preq to flag affected applications.

Deliverables

1. Reproducible test setup (helm charts, README, shell script, or equivalent).
2. Test data in a test.log file
3. A link to a working CRE in the (CRE playground)[https://play.prequel.dev]

/bounty $250

Rule

No response

Related issues or PRs

kubernetes/examples#260

References

No response

Redacted Example Data

No response

[algora-pbc]

💎 $250 bounty • Prequel

Steps to solve:

1. Start working: Comment /attempt #30 with your implementation plan
2. Submit work: Create a pull request including /claim #30 in the PR body to claim the bounty
3. Receive payment: 100% of the bounty is received 2-5 days post-reward. Make sure you are eligible for payouts

❗ Important guidelines:

• To claim a bounty, you need to provide a short demo video of your changes in your pull request
• If anything is unclear, ask for clarification before starting as this will help avoid potential rework
• Low quality AI PRs will not receive review and will be closed
• Do not ask to be assigned unless you've contributed before

Thank you for contributing to prequel-dev/cre!

Attempt	Started (UTC)	Solution	Actions
🟢 @yarosz	May 21, 2025, 04:38:48 PM	#37	Reward
🟢 @nelsonmfinda	May 21, 2025, 07:07:13 PM	WIP
🟢 @elskow	May 26, 2025, 02:40:27 AM	WIP

[yarosz]

/attempt #30

🔍 Implementation Plan

1 - Repro Environment

• Spin up a one-node local Kubernetes cluster (Kind‐based) and an in-cluster NFS server with an exported path.
• Autogenerated PV/PVC (ReadWriteMany) so reviewers can reproduce in ≤ 10 minutes with Docker + kubectl + Helm only.

2 - Minimal Failing Workload

• Deployment running non-root UID/GID 10000 with fsGroup: 10000.
• Simple busybox loop writes to /mnt; permission error proves the bug.
• Pod init logs capture id & ls -ld /mnt before and after mount.

3 - Detection Rule (CRE)

• A CRE matching:
  • Pod has securityContext.fsGroup and at least one NFS volume.
  • Subsequent Pod event/log includes permission denied on the mount.
• MITRE-style “Cause / Impact / Mitigation” text + quick fixes (export uid/gid, CSI NFS driver, etc.).
• Hosted link in the CRE Playground for validation.

4 - Automation & Artifacts

• hack/run.sh – create cluster, install NFS, apply manifests, dump logs → test.log.
• GitHub Actions workflow to run the script and assert failure is reproduced, then run preq scan against the cluster & sample manifest.
• All deliverables in charts/, manifests/, docs/, plus concise README.

5 - Feedback Points

• Is Kind acceptable for reviewers, or prefer k3d/minikube?
• Any extra metadata you’d like surfaced in the CRE (e.g., K8s version gating)?
• Preferred format for test evidence (test.log) beyond plain container logs?

[elskow]

/attempt #30

[algora-pbc]

🎉 The pull request of @yarosz has been merged. The bounty can be rewarded here

cc @Lyndon-prequel

[algora-pbc]

@yarosz: You've been awarded a $250 by Prequel! 👉 Complete your Algora onboarding to collect the bounty.

[algora-pbc]

🎉🎈 @yarosz has been awarded $250 by Prequel! 🎈🎊