Merge pull request #18210 from MicrosoftDocs/main

6/16/2025 AM Publish

Author: Taojunshen

AKS-Arc/concepts-storage.md

@@ -3,7 +3,7 @@ title: Concepts - Storage options for applications in AKS enabled by Azure Arc
 description: Storage options for applications in AKS enabled by Azure Arc.
 author: sethmanheim
 ms.topic: conceptual
-ms.date: 06/24/2024
+ms.date: 06/16/2025
 ms.author: sethm 
 ms.lastreviewed: 1/14/2022
 ms.reviewer: abha
@@ -112,6 +112,23 @@ volumeMounts:
           name: k-dir 
 ```
 
+## Secure pod access to mounted volumes
+
+For your applications to run correctly, pods should run as a defined user or group and not as *root*. The `securityContext` for a pod or container lets you define settings such as *fsGroup* to assume the appropriate permissions on the mounted volumes.
+
+**fsGroup** is a field within the `securityContext` of a Kubernetes pod specification. It defines a supplemental group ID that Kubernetes assigns to all processes in the pod, and recursively to the files in mounted volumes. This ensures that the pod has the correct group-level access to shared storage volumes.
+
+When a volume is mounted, Kubernetes changes the ownership of the volume's contents to match the **fsGroup** value. This is particularly useful when containers run as non-root users and need write access to shared volumes.
+
+The following example YAML shows the **fsgroup** value:
+
+```yaml
+securityContext:
+  fsGroup: 2000
+```
+
+In this example, all files in mounted volumes are accessible by GID 2000.
+
 ## Next steps
 
 - [Use the AKS on Azure Local disk Container Storage Interface (CSI) drivers](./container-storage-interface-disks.md).

AKS-Arc/container-storage-interface-files.md

@@ -3,7 +3,7 @@ title: Use Container Storage Interface (CSI) file drivers in AKS enabled by Azur
 description: Learn how to use Container Storage Interface (CSI) drivers to manage files in AKS Arc.
 author: sethmanheim
 ms.topic: how-to
-ms.date: 08/20/2024
+ms.date: 06/16/2025
 ms.author: sethm 
 ms.lastreviewed: 01/14/2022
 ms.reviewer: abha
@@ -31,7 +31,7 @@ If multiple nodes need concurrent access to the same storage volumes in AKS Arc,
 
 ### [AKS on Azure Local](#tab/local)
 
-1. Make sure the SMB driver is deployed. The SMB CSI driver is installed by default when you create a Kubernetes cluster using the `az aksarc create` command. If you create a Kubernetes cluster by using the Azure portal or using the `az aksarc create` command with `--disable-smb-driver`, you must enable the SMB driver on this cluster using the `az aksarc update` command:
+1. Make sure the SMB driver is deployed. The SMB CSI driver is installed by default when you create a Kubernetes cluster using the `az aksarc create` command. If you create a Kubernetes cluster by using the Azure portal, Azure Resource Manager (ARM) template, or Terraform, or by using the `az aksarc create` command with `--disable-smb-driver`, you must enable the SMB driver on this cluster using the `az aksarc update` command:
 
    ```azurecli
    az aksarc update -n $aksclustername -g $resource_group --enable-smb-driver
@@ -78,7 +78,7 @@ If multiple nodes need concurrent access to the same storage volumes in AKS Arc,
 
 ### [AKS on Azure Local](#tab/local)
 
-1. Make sure the NFS driver is deployed. The NFS CSI driver is installed by default when you create a Kubernetes cluster using the `az aksarc create` command. If you create a Kubernetes cluster by using the Azure portal or using the `az aksarc create` command with `--disable-nfs-driver`, you must enable the the NFS driver on this cluster using the `az aksarc update` command:
+1. Make sure the NFS driver is deployed. The NFS CSI driver is installed by default when you create a Kubernetes cluster using the `az aksarc create` command. If you create a Kubernetes cluster by using the Azure portal, Azure Resource Manager (ARM) template, or Terraform, or by using the `az aksarc create` command with `--disable-nfs-driver`, you must enable the the NFS driver on this cluster using the `az aksarc update` command:
 
    ```azurecli
    az aksarc update -n $aksclustername -g $resource_group --enable-nfs-driver