kubernetes PodSecurityPolicy设置为runAsNonRoot,容器有runAsNonRoot,图像有非数字用户(appuser),无法验证用户是否为非root用户

时间:2018-04-08 16:51:00

标签: kubernetes kubernetes-security

kubernetes PodSecurityPolicy设置为runAsNonRoot,pods没有开始发布获取错误错误:容器有runAsNonRoot且图片有非数字用户(appuser),无法验证用户是非root用户

我们正在创建用户(appuser)uid - > 999和组(appgroup)gid - > 999在docker容器中,我们正在用该用户启动容器。

但是pod创建错误。

    Events:
      Type     Reason                 Age                From                           Message
      ----     ------                 ----               ----                           -------
      Normal   Scheduled              53s                default-scheduler              Successfully assigned app-578576fdc6-nfvcz to appmagent01
      Normal   SuccessfulMountVolume  52s                kubelet, appagent01  MountVolume.SetUp succeeded for volume "default-token-ksn46"
      Warning  DNSConfigForming       11s (x6 over 52s)  kubelet, appagent01  Search Line limits were exceeded, some search paths have been omitted, the applied search line is: app.svc.cluster.local svc.cluster.local cluster.local 
      Normal   Pulling                11s (x5 over 51s)  kubelet, appagent01  pulling image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
      Normal   Pulled                 11s (x5 over 51s)  kubelet, appagent01  Successfully pulled image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
      Warning  Failed                 11s (x5 over 51s)  kubelet, appagent01  Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root

.

2 个答案:

答案 0 :(得分:5)

以下是验证的implementation

case uid == nil && len(username) > 0:
    return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root", username)

以下是带有评论的validation call

// Verify RunAsNonRoot. Non-root verification only supports numeric user.
if err := verifyRunAsNonRoot(pod, container, uid, username); err != nil {
    return nil, cleanupAction, err
}

正如您所看到的,您的案例中消息的唯一原因是uid == nil。根据源代码中的注释,我们需要设置一个数字用户值。

因此,对于UID = 999的用户,您可以在您的广告连播定义like that中执行此操作:

securityContext:
    runAsUser: 999

答案 1 :(得分:-1)

可以使用serviceAccounts和角色绑定来解决此问题。这种方法虽然冗长但更清洁,尤其是在大规模生产集群中。

根据以下链接中提到的文档, https://kubernetes.io/docs/concepts/policy/pod-security-policy/

以下步骤将帮助您解决问题。

  1. 创建服务帐户

     ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: test-sa

  2. 将服务帐户附加到广告连播

     ---
 ...
 spec:
   serviceAccount: test-sa
 ...

  3. 创建ClusterRole 

     ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: privilated-role
 rules:
   - apiGroups:
     - policy
     resourceNames:
     - privileged
     resources:
     - podsecuritypolicies
     verbs:
     - use

  4. 创建RoleBinding 

      ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: privilated-role-binding
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: privilated-role
  subjects:
    - kind: ServiceAccount
      name: test-sa

** 重要提示:请在复制和粘贴过程中检查yaml间距。 可能会有所不同。

相关问题
最新问题