我尝试根据您的要求运行 pod。它失败的原因是 Nginx 需要修改 root 拥有的 /etc/ 中的某些配置,当你运行 AsNonRoot 时它会失败,因为它无法编辑 Nginx 默认配置。
这是您在运行它时实际遇到的错误。
10-listen-on-ipv6-by-default.sh: error: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2020/08/13 17:28:55 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2020/08/13 17:28:55 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
我运行的规范。
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: buggypod
name: buggypod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- image: nginx
name: buggypod
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
我的建议是您使用 Dockerfile 创建一个自定义 Nginx 映像,该映像还创建用户并为新创建的用户提供对文件夹 /var/cache/nginx、/etc/nginx/conf.d、/var/log/nginx 的权限。这样您就可以将容器作为非根运行。