18

kubernetes PodSecurityPolicy 设置为 runAsNonRoot,Pod 未启动后出现错误错误:容器已 runAsNonRoot 并且图像具有非数字用户(appuser),无法验证用户是非 root

我们正在 docker 容器中创建用户 (appuser) uid -> 999 和组 (appgroup) gid -> 999,并且我们正在使用该用户启动容器。

但是创建的 pod 会抛出错误。

    Events:
      Type     Reason                 Age                From                           Message
      ----     ------                 ----               ----                           -------
      Normal   Scheduled              53s                default-scheduler              Successfully assigned app-578576fdc6-nfvcz to appmagent01
      Normal   SuccessfulMountVolume  52s                kubelet, appagent01  MountVolume.SetUp succeeded for volume "default-token-ksn46"
      Warning  DNSConfigForming       11s (x6 over 52s)  kubelet, appagent01  Search Line limits were exceeded, some search paths have been omitted, the applied search line is: app.svc.cluster.local svc.cluster.local cluster.local 
      Normal   Pulling                11s (x5 over 51s)  kubelet, appagent01  pulling image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
      Normal   Pulled                 11s (x5 over 51s)  kubelet, appagent01  Successfully pulled image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
      Warning  Failed                 11s (x5 over 51s)  kubelet, appagent01  Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root

.
4

1 回答 1

27

下面是验证的实现

case uid == nil && len(username) > 0:
    return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root", username)

这是带有注释的验证调用:

// Verify RunAsNonRoot. Non-root verification only supports numeric user.
if err := verifyRunAsNonRoot(pod, container, uid, username); err != nil {
    return nil, cleanupAction, err
}

如您所见,在您的案例中,该消息的唯一原因是uid == nil. 根据源代码中的注释,我们需要设置一个数字用户值。

因此,对于 UID=999 的用户,您可以在 pod 定义中这样做

securityContext:
    runAsUser: 999
于 2018-04-09T09:34:19.433 回答