How to submit a kubectl job and pass the user as runas

12/3/2019

I have a container that I want to run on Kubernetes Let's say image1

when I run kubectl apply -f somePod.yml (which runs the image1) how can I start the image with the user that runned the command kubectl?

-- Jorge Machado
kubectl
kubernetes

2 Answers

12/11/2019

I am still not sure if I good understood your question.

However, kubectl doesn't have an option to pass user or service account when creating jobs:

kubectl create job --help

Create a job with the specified name.

Examples:
  # Create a job
  kubectl create job my-job --image=busybox

  # Create a job with command
  kubectl create job my-job --image=busybox -- date

  # Create a job from a CronJob named "a-cronjob"
  kubectl create job test-job --from=cronjob/a-cronjob

Options:
      --allow-missing-template-keys=true: If true, ignore any errors in templates when a field or
map key is missing in the template. Only applies to golang and jsonpath output formats.
      --dry-run=false: If true, only print the object that would be sent, without sending it.
      --from='': The name of the resource to create a Job from (only cronjob is supported).
      --image='': Image name to run.
  -o, --output='': Output format. One of:
json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-file.
      --save-config=false: If true, the configuration of current object will be saved in its
annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to
perform kubectl apply on this object in the future.
      --template='': Template string or path to template file to use when -o=go-template,
-o=go-template-file. The template format is golang templates
[http://golang.org/pkg/text/template/#pkg-overview].
      --validate=true: If true, use a schema to validate the input before sending it

Usage:
  kubectl create job NAME --image=image [--from=cronjob/name] -- [COMMAND] [args...] [flags]
[options]

Use "kubectl options" for a list of global command-line options (applies to all commands).

You can specify many factors inside your YAML definition. For example you could create ServiceAccount or specify runAsUser in a pod configuration. However, this requires to have a definition file instead of run-level with kubectl.

Here you can find how to do it with runAsUser parameter.

You could also consider using ServiceAccount. Here you have article which might help you. However you would need to create specific ServiceAccount It would look similar like:

apiVersion: v1
kind: Pod
metadata:
   name: pod-demo-sa
spec:
   serviceAccountName: demo-sa
   containers:
name: alpine
     image: alpine:3.9
     command:
"sleep"
"10000"

If this would be for some labs or practice you could also think about creating customized docker image using Dockerfile.

Unfortunately previous options are hardcoded. Other solution would need a specific scritp and many pipelines.

In addition, as you mentioned in title, to pass some values to configuration you can use ConfigMap.

-- PjoterS
Source: StackOverflow

12/26/2019

It's not possible by design. Please find explanation below:

In the most cases Jobs create Pods, so I use Pods in my explanation.
In case of Jobs it means just a bit different YAML file.

$ kubectl explain job.spec.
$ kubectl explain job.spec.template.spec

Users run kubectl using user accounts.

Pods are runing using service accounts. There is no way to run pod "from user account".
Note: in recent versions spec.ServiceAccount was replaced by spec.serviceAccountName

However, you can use user account credentials by running kubectl inside a Pod's container or making curl requests to Kubernetes api-server from inside a pod container.
Using Secrets is the most convenient way to do that.

What else you can do differentiate users in the cluster:

This way if the user creates a Pod without specifying spec.ServiceAccountName, by default it will use default service-account from Pod's namespace.

You can even set for the default service account the same permissions as for the user account. The only difference would be that service accounts exist in the specific namespace.

If you need to use the same namespace for all users, you can use helm charts to set the correct serviceAccountName for each user ( imagine you have service-accounts with the same name as users ) by using --set command line arguments as follows:

$ cat testchart/templates/job.yaml 
...
   serviceAccountName: {{ .Values.saname }}
...

$ export SANAME=$(kubectl config view --minify -o jsonpath='{.users[0].name}')
$ helm template ./testchart --set saname=$SANAME
---
# Source: testchart/templates/job.yaml
...
   serviceAccountName: kubernetes-admin
...

You can also specify namespace for each user in the same way.

-- VAS
Source: StackOverflow