kubernetes PodSecurityPolicy 设置为
runAsNonRoot
,出现错误后 pod 未启动 Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root
我们正在 docker 容器中创建用户 (appuser) uid -> 999 和组 (appgroup) gid -> 999,并使用该用户启动容器。
但是创建 pod 时抛出错误。
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 53s default-scheduler Successfully assigned app-578576fdc6-nfvcz to appmagent01
Normal SuccessfulMountVolume 52s kubelet, appagent01 MountVolume.SetUp succeeded for volume "default-token-ksn46"
Warning DNSConfigForming 11s (x6 over 52s) kubelet, appagent01 Search Line limits were exceeded, some search paths have been omitted, the applied search line is: app.svc.cluster.local svc.cluster.local cluster.local
Normal Pulling 11s (x5 over 51s) kubelet, appagent01 pulling image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
Normal Pulled 11s (x5 over 51s) kubelet, appagent01 Successfully pulled image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
Warning Failed 11s (x5 over 51s) kubelet, appagent01 Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root
以下是验证的实现:
case uid == nil && len(username) > 0:
return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root", username)
这是验证调用,并附有评论:
// Verify RunAsNonRoot. Non-root verification only supports numeric user.
if err := verifyRunAsNonRoot(pod, container, uid, username); err != nil {
return nil, cleanupAction, err
}
如您所见,您的案例中出现该消息的唯一原因是
uid == nil
。根据源代码中的注释,我们需要设置一个数字用户值。
因此,对于 UID=999 的用户,您可以在 pod 定义中执行此操作像这样:
securityContext:
runAsUser: 999
将此
USER
添加到 Dockerfile 解决了我的问题。这里9000是任意数字
USER 9000:9000
这对我有用。在
route.yml
文件上,将 spec.host 值更改为集群允许您拥有权限的正确级别。就我而言,它是:
来自:
maximo-lab.domain.com
至:
maximo-lab.subdomain.domain.com
我还在 Redhat 上查看了这篇文章,但没有找到适合我的答案。它可能会给其他人带来答案。 https://developers.redhat.com/blog/2020/10/26/adapting-docker-and-kubernetes-containers-to-run-on-red-hat-openshift-container-platform#how_to_debug_issues