且映像具有非数字用户

且映像具有非数字用户

本文介绍了kubernetes PodSecurityPolicy设置为runAsNonRoot,容器具有runAsNonRoot,并且映像具有非数字用户(appuser),无法验证用户是否为非root用户的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

kubernetes PodSecurityPolicy设置为runAsNonRoot,在获取错误后,pod无法启动错误:容器具有runAsNonRoot且映像具有非数字用户(appuser),无法验证用户是否不是root用户

kubernetes PodSecurityPolicy set to runAsNonRoot, pods are not getting started post that Getting error Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root

我们正在docker容器中创建用户(appuser)uid-> 999和组(appgroup)gid-> 999,并从该用户启动容器.

We are creating the user (appuser) uid -> 999 and group (appgroup) gid -> 999 in the docker container, and we are starting the container with that user.

但是吊舱创建过程中抛出了错误.

But the pod creating is throwing error.

    Events:
      Type     Reason                 Age                From                           Message
      ----     ------                 ----               ----                           -------
      Normal   Scheduled              53s                default-scheduler              Successfully assigned app-578576fdc6-nfvcz to appmagent01
      Normal   SuccessfulMountVolume  52s                kubelet, appagent01  MountVolume.SetUp succeeded for volume "default-token-ksn46"
      Warning  DNSConfigForming       11s (x6 over 52s)  kubelet, appagent01  Search Line limits were exceeded, some search paths have been omitted, the applied search line is: app.svc.cluster.local svc.cluster.local cluster.local
      Normal   Pulling                11s (x5 over 51s)  kubelet, appagent01  pulling image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
      Normal   Pulled                 11s (x5 over 51s)  kubelet, appagent01  Successfully pulled image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
      Warning  Failed                 11s (x5 over 51s)  kubelet, appagent01  Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root

.

推荐答案

这是验证的实现:

case uid == nil && len(username) > 0:
    return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root", username)

这是验证呼叫带有注释:

// Verify RunAsNonRoot. Non-root verification only supports numeric user.
if err := verifyRunAsNonRoot(pod, container, uid, username); err != nil {
    return nil, cleanupAction, err
}

如您所见,在您的情况下,该消息的唯一原因是uid == nil.根据源代码中的注释,我们需要设置一个数字用户值.

As you can see, the only reason of that messages in your case is uid == nil. Based on the comment in the source code, we need to set a numeric user value.

因此,对于UID = 999的用户,您可以在pod定义中进行操作 :

So, for the user with UID=999 you can do it in your pod definition like that:

securityContext:
    runAsUser: 999

这篇关于kubernetes PodSecurityPolicy设置为runAsNonRoot,容器具有runAsNonRoot,并且映像具有非数字用户(appuser),无法验证用户是否为非root用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-01 15:31