I was trying to deploy a service to a Kubernetes cluster and first got the following error:
Error: container has runAsNonRoot and image will run as root
After some googling, I found out that there is a Pod Security Policy which doesn't allow me to run images as root, as suggested in the error.
I found out that adding the following securityContext configuration in my deployment definition would maybe solve my problem:
spec:
securityContext:
runAsUser: [uID]
fsGroup: [fsID]I couldn't find a way though to get the user id for a given username. Is it possible using kubectl? Or do I have to somehow assign my own userId/groupId?
As an example, let's say I am using the minikube context:
- context:
cluster: minikube
user: minikube
name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
user:
client-certificate: C:\...\client.crt
client-key: C:\...\client.keyThanks!
The uid and gid is shared between the Linux kernel and the Docker container. You can get the uid and gid to be used to run your containers by looking them up in /etc/passwd file of the host. You can create a user in your Linux host and use the corresponding ids or create the user in your Docker image with known ids and use them.
if the user has cluster admin role, the PSP will not applied for the user.
You can keep value zero for uID and fsID on securityContext if the minikube user is cluster admin.
You can verify this from the client-certificate file. The CN value on Subject column will provide the username and group details.
openssl x509 -in C:\...\client.crt -text -nooutor you have to do the changes on your Dockerfil. That will run the commands as non root user.
I couldn't find a way though to get the user id for a given username. Is it possible using kubectl? Or do I have to somehow assign my own userId/groupId?
You can run id command on your deployment something like kubectl exec -it <<pod name>> -- sh to see the user, group id for the said username, in this case, the current user context.