K
Q

kubernetes PodSecurityPolicy set to runAsNonRoot, container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root

4/8/2018

kubernetes PodSecurityPolicy set to runAsNonRoot, pods are not getting started post that Getting error Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root

We are creating the user (appuser) uid -> 999 and group (appgroup) gid -> 999 in the docker container, and we are starting the container with that user.

But the pod creating is throwing error.

    Events:
      Type     Reason                 Age                From                           Message
      ----     ------                 ----               ----                           -------
      Normal   Scheduled              53s                default-scheduler              Successfully assigned app-578576fdc6-nfvcz to appmagent01
      Normal   SuccessfulMountVolume  52s                kubelet, appagent01  MountVolume.SetUp succeeded for volume "default-token-ksn46"
      Warning  DNSConfigForming       11s (x6 over 52s)  kubelet, appagent01  Search Line limits were exceeded, some search paths have been omitted, the applied search line is: app.svc.cluster.local svc.cluster.local cluster.local 
      Normal   Pulling                11s (x5 over 51s)  kubelet, appagent01  pulling image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
      Normal   Pulled                 11s (x5 over 51s)  kubelet, appagent01  Successfully pulled image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
      Warning  Failed                 11s (x5 over 51s)  kubelet, appagent01  Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root

.
-- user1819071
kubernetes
kubernetes-security

Similar Questions

Setting up kubeadm cluster with ubuntu and pi
Jenkins slave with custom docker image is not connecting with master in minikube
kubeadm init - fails
Is there a way to not use GKE's standard load balancer?

2 Answers

5/26/2020

I hope this issue can be fixed using serviceAccounts & role-bindings,

According to the documentation have mentioned in the following link, https://kubernetes.io/docs/concepts/policy/pod-security-policy/

The following steps will help you with the solution.

  1. Create a service account

    ---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-sa

  2. Attach the service account to the pod

    ---
...
spec:
  serviceAccount: test-sa
...

  3. Create ClusterRole

    ---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: privilated-role
rules:
  - apiGroups:
    - policy
    resourceNames:
    - privileged
    resources:
    - podsecuritypolicies
    verbs:
    - use

  4. Create the RoleBinding

     ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: privilated-role-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: privilated-role
 subjects:
   - kind: ServiceAccount
     name: test-sa

****Important: please check the yaml spacing because during copy and paste. may differ.**

-- JMadushan
Source: StackOverflow
4/9/2018

Here is the implementation of the verification:

case uid == nil && len(username) > 0:
    return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root", username)

And here is the validation call with the comment:

// Verify RunAsNonRoot. Non-root verification only supports numeric user.
if err := verifyRunAsNonRoot(pod, container, uid, username); err != nil {
    return nil, cleanupAction, err
}

As you can see, the only reason of that messages in your case is uid == nil. Based on the comment in the source code, we need to set a numeric user value.

So, for the user with UID=999 you can do it in your pod definition like that:

securityContext:
    runAsUser: 999
-- Anton Kostenko
Source: StackOverflow