Back to all scenarios
Scenario #308
Storage
Kubernetes v1.21, PSP Enabled Cluster

PVC Mount Timeout Due to PodSecurityPolicy

A pod couldn’t mount a volume because PodSecurityPolicy (PSP) rejected required fsGroup.

Find this helpful?
What Happened

A storage class required fsGroup for volume mount permissions. The pod didn’t set it, and PSP disallowed dynamic group assignment.

Diagnosis Steps
  • 1Pod stuck in CreateContainerConfigError.
  • 2Events showed “pod rejected by PSP”.
  • 3Storage class required fsGroup.
Root Cause

Incompatible PSP with volume mount security requirements.

Fix/Workaround
• Modified PSP to allow required fsGroup range.
• Updated pod security context.
Lessons Learned

Storage plugins often need security context alignment.

How to Avoid
  • 1Review storage class requirements.
  • 2Align security policies with volume specs.
Previous ScenarioNext Scenario