K
Q

Kubernetes creating containers logs as root

3/26/2021

I created a test cluster and deployed a test app, the yaml for such app looks like this:

apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app: app-tests
  name: app-tests
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app-tests
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: app-tests
    spec:
      containers:
      - image: 192.168.0.7:5443/app-tests:0.0.4-SNAPSHOT
        name: app-tests
        resources: {}
        volumeMounts:
        - mountPath: "/var/data/app/"
          name: var-log-volume
      imagePullSecrets:
      - name: regcred
      volumes:
      - name: var-log-volume
        persistentVolumeClaim:
          claimName: pvlog01-claim
      securityContext:
        runAsNonRoot: true
        runAsUser: 99
status: {}
---
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: null
  labels:
    app: app-tests
  name: app-tests
spec:
  ports:
  - name: "8000"
    port: 8000
    protocol: TCP
    targetPort: 8000
  selector:
    app: app-tests
  type: NodePort 
status:
  loadBalancer: {}

Dockerfile looks like this:

FROM java:8
RUN addgroup --gid 99 somebody && adduser --gid 99 --uid 99 somebody
USER somebody
EXPOSE 8001
ADD target/app-tests-0.0.4-SNAPSHOT.jar app-tests-0.0.4-SNAPSHOT.jar
ENTRYPOINT ["java", "-jar", "app-tests-0.0.4-SNAPSHOT.jar"]

The application works just fine, I can go and use the application. if I ssh into the container, I'm meet by this:

somebody@apt-tests-8679898f9d-j2ssl:/$ whoami
somebody

However, I'm trying to read the standard output from a different process to send it to a ELK stack.

When I go to /var/log/pods and follow the links they lead me to a file like this:

/var/lib/docker/containers/09342171b20f42728d9535e30414b87e081cc1c80edb27fa3abad4fcaee46427/09342171b20f42728d9535e30414b87e081cc1c80edb27fa3abad4fcaee46427-json.log

which has its permissions set like this:

-rw-r-----. 1 root root 939 Mar 25 21:01 09342171b20f42728d9535e30414b87e081cc1c80edb27fa3abad4fcaee46427-json.log

which leads to problems when other process try read the output given that they don't have root access.

I imagine this root/root in the process means I'm doing something terrible wrong (container running as root and creating files as root by default) I would expect the container to run under a different less privileged user but I don't really know what it is, I have been trying to read about security context to see if there's something else I need to change but I have no idea what I am looking for.

Can someone please point me in the right direction?

-- im8bit
docker
kubernetes

Similar Questions

Unable to start minikube in windows using hyperv
Kubernetes pods unable to resolve host :
How to scale Kubernetes on Azure?
GKE: Insufficient regional quota to satisfy request: resource "IN_USE_ADDRESSES"
Nginx ingress returns 502 after POST with redirect

0 Answers