kubernetes PodSecurityPolicy设置为runAsNonRoot,pod无法启动发布获取错误错误:容器具有runAsNonRoot且映像具有非数字用户(appuser),无法验证用户是否为非root用户
我们在docker容器中创建用户(appuser)uid -> 999和组(appgroup)gid -> 999,并使用该用户启动容器。
但pod创建抛出错误。
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 53s default-scheduler Successfully assigned app-578576fdc6-nfvcz to appmagent01
Normal SuccessfulMountVolume 52s kubelet, appagent01 MountVolume.SetUp succeeded for volume "default-token-ksn46"
Warning DNSConfigForming 11s (x6 over 52s) kubelet, appagent01 Search Line limits were exceeded, some search paths have been omitted, the applied search line is: app.svc.cluster.local svc.cluster.local cluster.local
Normal Pulling 11s (x5 over 51s) kubelet, appagent01 pulling image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
Normal Pulled 11s (x5 over 51s) kubelet, appagent01 Successfully pulled image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
Warning Failed 11s (x5 over 51s) kubelet, appagent01 Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root
.
2条答案
按热度按时间slmsl1lt1#
下面是验证的实现:
下面是带有注解的验证调用:
正如您所看到的,在您的案例中,该消息的唯一原因是
uid == nil
。根据源代码中的注解,我们需要设置一个数字用户值。因此,对于UID=999的用户,您可以在pod定义中这样做:
r55awzrz2#
这就是我的工作。在
route.yml
文件中,将 * spec.host * 值更改为集群允许您拥有权限的正确级别。在我的案例中,它是:来自:
致:
我还在Redhat上查看了这篇文章,它没有为我工作的答案。它可能为其他人提供了答案。https://developers.redhat.com/blog/2020/10/26/adapting-docker-and-kubernetes-containers-to-run-on-red-hat-openshift-container-platform#how_to_debug_issues