kubernetes PodSecurityPolicy设置为runAsNonRoot,容器有runAsNonRoot,镜像有非数字用户(appuser),无法验证用户是否为非root

juzqafwq  于 2023-06-28  发布在  Kubernetes
关注(0)|答案(2)|浏览(189)

kubernetes PodSecurityPolicy设置为runAsNonRoot,pod无法启动发布获取错误错误:容器具有runAsNonRoot且映像具有非数字用户(appuser),无法验证用户是否为非root用户
我们在docker容器中创建用户(appuser)uid -> 999和组(appgroup)gid -> 999,并使用该用户启动容器。
但pod创建抛出错误。

Events:
      Type     Reason                 Age                From                           Message
      ----     ------                 ----               ----                           -------
      Normal   Scheduled              53s                default-scheduler              Successfully assigned app-578576fdc6-nfvcz to appmagent01
      Normal   SuccessfulMountVolume  52s                kubelet, appagent01  MountVolume.SetUp succeeded for volume "default-token-ksn46"
      Warning  DNSConfigForming       11s (x6 over 52s)  kubelet, appagent01  Search Line limits were exceeded, some search paths have been omitted, the applied search line is: app.svc.cluster.local svc.cluster.local cluster.local 
      Normal   Pulling                11s (x5 over 51s)  kubelet, appagent01  pulling image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
      Normal   Pulled                 11s (x5 over 51s)  kubelet, appagent01  Successfully pulled image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
      Warning  Failed                 11s (x5 over 51s)  kubelet, appagent01  Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root

.
slmsl1lt

slmsl1lt1#

下面是验证的实现:

case uid == nil && len(username) > 0:
    return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root", username)

下面是带有注解的验证调用:

// Verify RunAsNonRoot. Non-root verification only supports numeric user.
if err := verifyRunAsNonRoot(pod, container, uid, username); err != nil {
    return nil, cleanupAction, err
}

正如您所看到的,在您的案例中,该消息的唯一原因是uid == nil。根据源代码中的注解,我们需要设置一个数字用户值。
因此,对于UID=999的用户,您可以在pod定义中这样做:

securityContext:
    runAsUser: 999
r55awzrz

r55awzrz2#

这就是我的工作。在route.yml文件中,将 * spec.host * 值更改为集群允许您拥有权限的正确级别。在我的案例中,它是:
来自:

maximo-lab.domain.com

致:

maximo-lab.subdomain.domain.com

我还在Redhat上查看了这篇文章,它没有为我工作的答案。它可能为其他人提供了答案。https://developers.redhat.com/blog/2020/10/26/adapting-docker-and-kubernetes-containers-to-run-on-red-hat-openshift-container-platform#how_to_debug_issues

相关问题