Karim:
Hi Team, any idea why the configuration being accepted and the pod is being created but it is not changing the user to 1010.only reason I could think of is that the user id doesn’t exist in /etc/passwd
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2022-09-29T21:23:27Z"
name: ubuntu-sleeper
namespace: default
resourceVersion: "764"
uid: b66d8606-1752-4554-90f4-851000d30b56
spec:
securityContext:
runAsUser: 1010
containers:
- command:
- sleep
- "4800"
image: ubuntu
imagePullPolicy: Always
name: ubuntu
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-8q2ts
readOnly: true
unnivkn:
Hi @Karim may I know how you are testing… I have used your code & it’s working for me. fyr:
unnivkn:
controlplane $ cat 1.yaml
apiVersion: v1
kind: Pod
metadata:
#creationTimestamp: “2022-09-29T21:23:27Z”
name: ubuntu-sleeper
namespace: default
#resourceVersion: “764”
#uid: b66d8606-1752-4554-90f4-851000d30b56
spec:
securityContext:
runAsUser: 1010
containers:
- command:
- sleep
- “4800”
image: ubuntu
imagePullPolicy: Always
name: ubuntu
#resources: {}
#terminationMessagePath: /dev/termination-log
#terminationMessagePolicy: File
#volumeMounts:
#- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
#name: kube-api-access-8q2ts
#readOnly: true
controlplane $
Aneek Bera:
hmm. it works for me also.
Aneek Bera:
Container images may have a specific user and/or group configured for the process to run as. This can be overridden with the runAsUser and runAsGroup configuration settings.
Often these are set up in conjunction with volume mounts containing files that have the same ownership IDs.
If we configure a different user, it will fail to start up because that user doesn’t exist in the image /etc/passwd file.
Aneek Bera:
From the below image:
-
Username: It is used when user logs in. It should be between 1 and 32 characters in length.
-
Password: An x character indicates that encrypted password is stored in <https://www.cyberciti.biz/faq/understanding-etcshadow-file/|/etc/shadow file>. Please note that you need to use the passwd command to computes the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file.
-
User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
-
Group ID (GID): The primary group ID (stored in /etc/group file)
-
User ID Info (GECOS): The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
-
Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
-
Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell. For example, sysadmin can use the nologin shell, which acts as a replacement shell for the user accounts. If shell set to /sbin/nologin and the user tries to log in to the Linux system directly, the /sbin/nologin shell closes the connection.
Aneek Bera:
Pls also check the file permissions.
Aneek Bera:
We can also get inside the directory and add the user. This will be a good troubleshooting session.
Karim:
thanks @unnivkn I guess what I was doing is wrong which is to do ps aux at the level of the host not the container and I see the process run by the root…Is this expected?
Karim:
@unnivkn Funny enough it doesn’t work for me. I just tested it. This is a sample of the code
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2022-09-30T13:36:41Z"
name: ubuntu-sleeper
namespace: default
resourceVersion: "702"
uid: 29a1b058-c822-4459-9aa0-b5aee3da6fcd
spec:
securityContext:
runAsUser: 1010
containers:
- command:
- sleep
- "4800"
image: ubuntu
imagePullPolicy: Always
name: ubuntu
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-zbtck
readOnly: true
Karim:
kubectl exec ubuntu-sleeper -it -- sh
# id
uid=0(root) gid=0(root) groups=0(root)
