我正在尝试在v1.13.6-gke.6 k8s集群中部署Pod。
我正在使用的图像非常简单:
FROM scratch
LABEL maintainer "Bitnami <[email protected]>"
COPY rootfs /
USER 1001
CMD [ "/chart-repo" ]
如您所见,用户设置为
1001。我要在其中部署Pod的群集具有PSP设置。
spec:
allowPrivilegeEscalation: false
allowedCapabilities:
- IPC_LOCK
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
runAsUser:
rule: MustRunAsNonRoot
因此,基本上按照
rule: MustRunAsNonRoot规则,以上图像应运行。但是当我运行图像时,我随机遇到:
Error: container has runAsNonRoot and image will run as root
因此,进一步挖掘,我得到了这种模式:
每次我使用
imagePullPolicy: IfNotPresent运行图像时,我总是遇到问题。这意味着每次我拾取缓存的图像时,都会产生container has runAsNonRoot错误。 Normal Pulled 12s (x3 over 14s) kubelet, test-1905-default-pool-1b8e4761-fz8s Container image "my-repo/bitnami/kubeapps-chart-repo:1.4.0-r1" already present on machine
Warning Failed 12s (x3 over 14s) kubelet, test-1905-default-pool-1b8e4761-fz8s Error: container has runAsNonRoot and image will run as root
但
每次我将图像作为
imagePullPolicy: Always运行时,图像SUCCESSFULLY都会运行: Normal Pulled 6s kubelet, test-1905-default-pool-1b8e4761-sh5g Successfully pulled image "my-repo/bitnami/kubeapps-chart-repo:1.4.0-r1"
Normal Created 5s kubelet, test-1905-default-pool-1b8e4761-sh5g Created container
Normal Started 5s kubelet, test-1905-default-pool-1b8e4761-sh5g Started container
所以我不太确定这是怎么回事。我的意思是仅仅因为
ImagePullPolicy不同,为什么它会错误地设置PSP规则? 最佳答案
找出问题所在。对于两个特定版本v1.13.6和v1.14.2,k8s是一个已知问题。
https://github.com/kubernetes/kubernetes/issues/78308
关于kubernetes - 带有特定ImagePullPolicy的PodSecurityPolicy发生故障,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/56635078/