发表新帖
发表新帖

kubernetes PodSecurityPolicy set to runAsNonRoot, container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root

后端 未结
关注
2 1893
旧巷少年郎
旧巷少年郎 2021-02-14 09:37

kubernetes PodSecurityPolicy set to runAsNonRoot, pods are not getting started post that Getting error Error: container has runAsNonRoot and image has non-numeric user (appuser)

相关标签:
2条回答
  • 小鲜肉
    2021-02-14 10:14

    Here is the implementation of the verification:

    case uid == nil && len(username) > 0:
    return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root", username)

    And here is the validation call with the comment:

    // Verify RunAsNonRoot. Non-root verification only supports numeric user.
if err := verifyRunAsNonRoot(pod, container, uid, username); err != nil {
    return nil, cleanupAction, err
}

    As you can see, the only reason of that messages in your case is uid == nil. Based on the comment in the source code, we need to set a numeric user value.

    So, for the user with UID=999 you can do it in your pod definition like that:

    securityContext:
    runAsUser: 999
    0 讨论(0)
  • 不知归路
    2021-02-14 10:22

    This issue can be fixed using serviceAccounts & role-bindings. This approach is much lengthy but cleaner, especially in massive production clusters.

    According to the documentation have mentioned in the following link, https://kubernetes.io/docs/concepts/policy/pod-security-policy/

    The following steps will help you with the solution.

    1. Create a service account

       ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: test-sa

    2. Attach the service account to the pod

       ---
 ...
 spec:
   serviceAccount: test-sa
 ...

    3. Create ClusterRole

       ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: privilated-role
 rules:
   - apiGroups:
     - policy
     resourceNames:
     - privileged
     resources:
     - podsecuritypolicies
     verbs:
     - use

    4. Create the RoleBinding

        ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: privilated-role-binding
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: privilated-role
  subjects:
    - kind: ServiceAccount
      name: test-sa

    **Important: please check the yaml spacing because during copy and paste. may differ.

    0 讨论(0)
 看不清?
提交回复
热议问题