Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
SecurityContext should support runAsUser
See original GitHub issueI have an issue with my PodSecurityPolicy specifying runAsNonRoot as true.
The JuiceBalancer already uses the non-root user app but Kubernetes needs a numeric id in order to verify that it is not the root user:
Error: container has runAsNonRoot and image has non-numeric user (app), cannot verify user is non-root
For this to work, the pod securityContext needs to specify runAsUser with the according user id of app.
I would love a change to either:
- include the numeric id of the app user in the template:
-- helm/multi-juicer/templates/juice-balancer-deployment.yaml
securityContext:
runAsUser: 100
runAsGroup: 101
- or include a template variable for the pod securityContext, so that users can modify it themselves:
-- helm/multi-juicer/templates/juice-balancer-deployment.yaml
{{- if .Values.balancer.securityContext }}
securityContext:
{{ toYaml .Values.balancer.securityContext | indent 8 }}
{{- end }}
-- helm/multi-juicer/values.yaml
balancer:
securityContext: {}
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:5 (5 by maintainers)
Top Results From Across the Web
Configure a Security Context for a Pod or Container
A security context defines privilege and access control settings for a Pod or Container. Security context settings include, ...
Read more >10 Kubernetes Security Context settings you should understand
10 Kubernetes Security Context settings you should understand · 1. runAsNonRoot · 2. runAsUser / runAsGroup · 3. seLinuxOptions · 4. seccompProfile ...
Read more >Managing Security Context Constraints | Cluster Administration
Grant Access to the Privileged SCC; Grant a Service Account Access to the ... In the end, a container will have runAsUser equal...
Read more >How to manage service accounts and security context ...
Learn how to configure service account access restrictions and security context constraints (SCCs) to control permissions for pods.
Read more >support runAsUser securityContext · Issue #140 - GitHub
i inject the spawner with UID and GID information from our ldap and basically 'trust' that the pod will do the right thing...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@J12934 Thanks!
It was all working as expected for us. Thanks for the very quick release 🙏
I completely agree with you, the second option seems more appropriate either way. I can submit a PR for that 👍
There should be a way to specify a numeric user without using the securityContext 🤔 . Looking at cert-manager, they did exactly that. However, they used bazel for specifying the docker image instead of using a Dockerfile. I’ll try to understand how this works and report back!