K
Q

Kubenates RunAsUser is forbidden

5/16/2018

when I try to create a pods with non-root fsgroup (here 2000)

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    fsGroup: 2000
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: gcr.io/google-samples/node-hello:1.0
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: true

hitting error

Error from server (Forbidden): error when creating "test.yml": pods "security-context-demo" is forbidden: pod.Spec.SecurityContext.RunAsUser is forbidden

Version

root@ubuntuguest:~# kubectl  version
Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.2", GitCommit:"81753b10df112992bf51bbc2c2f85208aad78335", GitTreeState:"clean", BuildDate:"2018-04-27T09:22:21Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.2", GitCommit:"81753b10df112992bf51bbc2c2f85208aad78335", GitTreeState:"clean", BuildDate:"2018-04-27T09:10:24Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

Can any one help me how to set ClusterRoleBinding in cluster.

-- Ravichandra
kubectl
kubernetes
kubernetes-security

Similar Questions

Kubernetes one user per node in the cluster
After Springboot application updated, image could not be pulled
Kops create /update cluster error doing DNS lookup for NS records
Secrets created using oc in Openshift not taking value after semicolon

3 Answers

9/4/2018

Need to disable admission plugins SecurityContextDeny while setting up Kube-API

On Master node

ps -ef | grep kube-apiserver

And check enable plugins

--enable-admission-plugins=LimitRanger,NamespaceExists,NamespaceLifecycle,ResourceQuota,ServiceAccount,DefaultStorageClass,MutatingAdmissionWebhook,DenyEscalatingExec

Ref: SecurityContextDeny

-- Ravichandra
Source: StackOverflow
6/6/2018

If the issue is indeed because of RBAC permissions, then you can try creating a ClusterRoleBinding with cluster role as explained here.

Instead of the last step in that post (using the authentication token to log in to dashboard), you'll have to use that token and the config in your kubectl client when creating the pod.

For more info on the use of contexts, clusters, and users visit here

-- code
Source: StackOverflow
7/15/2019
cd /etc/kubernetes

cp apiserver.conf apiserver.conf.bak

vim apiserver.conf

find SecurityContextDeny keywords and delete it.

:wq 

systemctl restart kube-apiserver

then fixed it

-- Nick.Jane
Source: StackOverflow