PodSecurityPolicy malfunctions with specific ImagePullPolicy

6/17/2019

I am trying to deploy a Pod in my v1.13.6-gke.6 k8s cluster.

The image that I'm using is pretty simple:

FROM scratch
LABEL maintainer "Bitnami <containers@bitnami.com>"

COPY rootfs /

USER 1001
CMD [ "/chart-repo" ]

As you can see, the user is set to 1001.

The cluster that I am deploying the Pod in has a PSP setup.

spec:
  allowPrivilegeEscalation: false
  allowedCapabilities:
  - IPC_LOCK
  fsGroup:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  runAsUser:
    rule: MustRunAsNonRoot

So basically as per the rule: MustRunAsNonRoot rule, the above image should run.

But when I ran the image, I randomly run into :

Error: container has runAsNonRoot and image will run as root

So digging further, I got this pattern:

Every time I run the image with imagePullPolicy: IfNotPresent, I always run into the issue. Meaning every time I picked up a cached image, it gives the container has runAsNonRoot error.

  Normal   Pulled     12s (x3 over 14s)  kubelet, test-1905-default-pool-1b8e4761-fz8s  Container image "my-repo/bitnami/kubeapps-chart-repo:1.4.0-r1" already present on machine
  Warning  Failed     12s (x3 over 14s)  kubelet, test-1905-default-pool-1b8e4761-fz8s  Error: container has runAsNonRoot and image will run as root

BUT

Every time I run the image as imagePullPolicy: Always, the image SUCCESSFULLY runs:

  Normal  Pulled     6s    kubelet, test-1905-default-pool-1b8e4761-sh5g  Successfully pulled image "my-repo/bitnami/kubeapps-chart-repo:1.4.0-r1"
  Normal  Created    5s    kubelet, test-1905-default-pool-1b8e4761-sh5g  Created container
  Normal  Started    5s    kubelet, test-1905-default-pool-1b8e4761-sh5g  Started container

So I'm not really sure what all this is about. I mean just because the ImagePullPolicy is different, why does it wrongly setup a PSP rule?

-- Jason Stanley
google-kubernetes-engine
kubernetes
kubernetes-pod

2 Answers

6/17/2019

Hard to tell based on the description. Do you have multiple nodes in your cluster?

At first, if you are seeing the error with imagePullPolicy: IfNotPresent and not seeing it with imagePullPolicy: Always, it's most likely due to having different container images on the local node than in the container registry.

It could be that you have an older version of my-repo/bitnami/kubeapps-chart-repo locally with the same tag?

-- Rico
Source: StackOverflow

6/17/2019

Found out the issue. Its a known issue with k8s for 2 specific versions v1.13.6 & v1.14.2.

https://github.com/kubernetes/kubernetes/issues/78308

-- Jason Stanley
Source: StackOverflow