Fatal编程技术网
  • docker/
  • Docker openshift正在运行UID101的所有容器,而不是从项目范围中获取uid

Docker openshift正在运行UID101的所有容器,而不是从项目范围中获取uid

docker kubernetes openshift

Docker openshift正在运行UID101的所有容器,而不是从项目范围中获取uid,docker,kubernetes,openshift,Docker,Kubernetes,Openshift,Openshift群集是使用以下文档安装的: 在任何项目中运行pod时-始终使用相同的UID 101启动: $ oc run -it -n knative-serving --image busybox test1 sh If you don't see a command prompt, try pressing enter. ~ $ id uid=101(101) gid=0(root) groups=1000600000 当用户101已经存在于映像中时,这是一个问题-在本例中,它还具有

Openshift群集是使用以下文档安装的: 在任何项目中运行pod时-始终使用相同的UID 101启动:

$  oc run -it -n knative-serving --image busybox test1 sh
If you don't see a command prompt, try pressing enter.
~ $ id
uid=101(101) gid=0(root) groups=1000600000
当用户101已经存在于映像中时,这是一个问题-在本例中,它还具有GID 101,这会阻止访问FS(FS权限用于GID 0)

预期的行为是使用项目范围中的UID和GID 0创建容器

Openshift已更新至最新版本:4.5.14

编辑:发现由nginx入口操作员创建的有问题的SCC

$ oc get scc nginx-ingress-scc -o yaml
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities:
- NET_BIND_SERVICE
fsGroup:
  type: MustRunAs
groups:
- system:authenticated
kind: SecurityContextConstraints
metadata:
  creationTimestamp: "2020-09-29T04:19:43Z"
  generation: 5
  managedFields:
  - apiVersion: security.openshift.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:allowHostDirVolumePlugin: {}
      f:allowHostIPC: {}
      f:allowHostNetwork: {}
      f:allowHostPID: {}
      f:allowHostPorts: {}
      f:allowPrivilegeEscalation: {}
      f:allowPrivilegedContainer: {}
      f:allowedCapabilities: {}
      f:defaultAddCapabilities: {}
      f:fsGroup:
        .: {}
        f:type: {}
      f:priority: {}
      f:readOnlyRootFilesystem: {}
      f:requiredDropCapabilities: {}
      f:runAsUser:
        .: {}
        f:type: {}
      f:seLinuxContext:
        .: {}
        f:type: {}
      f:supplementalGroups:
        .: {}
        f:type: {}
      f:users: {}
      f:volumes: {}
    manager: nginx-ingress-operator
    operation: Update
    time: "2020-09-29T04:26:51Z"
  - apiVersion: security.openshift.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:groups: {}
      f:runAsUser:
        f:uid: {}
    manager: oc
    operation: Update
    time: "2020-10-21T23:10:00Z"
  name: nginx-ingress-scc
  resourceVersion: "17079015"
  selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/nginx-ingress-scc
  uid: ffe0c34c-9fe4-4cf6-9d57-eb919c90d42a
priority: 20
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: MustRunAs
  uid: 101
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: MustRunAs
users:
- ingress-nginx:my-nginx-ingress-controller
volumes:
- secret
当我编辑此SCC并将UID更改为102时,所有新的播客现在都是使用UID 102创建的。我注意到这个SCC的优先级为20,但任何UID SCC的优先级为10。我将nginx SCC的优先级设置为5,UID行为现在似乎是anyuid(可能是因为我以默认的临时管理员身份运行所有操作),不再有uid101了

通常任何与uid相关的内容都是由openshift中的SCC配置的,您可以始终使用
oc descripe SCC
查看是否有任何SCC影响您的用户

按OP编辑:有关问题解决方案的更多详细信息,请参见问题本身。

您是否配置了允许设置UID的SCC?您是否配置了securityContext:runAsUser:?在您的输出中,我没有看到“gid 101”,正如预期的那样,您有gid 0,以及额外的1000600000组。另外,请在您要写入的目录上提供
ls-l
ls-ld
,我为几个项目运行了以下命令:“oc adm policy add scc to user anyuid-z default-n kaiburr demo”“”,但没有其他内容。UID 101即使在没有此scc的其他项目中也使用。从我的cmd中可以看到,我没有配置任何securityContext。我提到gid101只有在docker映像中有这样的用户时才可用。将对问题进行编辑以显示这一点。向问题添加了更多详细信息您能否提供oc Descripte project kaiburr app的输出以查看uid范围和补充组?虽然有些地方很不对劲,但我敢打赌scc肯定有问题。你在《描述scc》中看到可疑的东西了吗?也许您的项目中有一些非默认服务帐户,有什么吗?谢谢Andrew,您对SCC的看法是正确的,这非常有帮助!我检查了SCCs,发现那里有UID 101。编辑了这个问题。如果你想添加一个答案,我将接受。仍然不确定为什么现在所有的东西都在使用anyuid SCC,但我怀疑这可能是因为我还没有配置集群OAuth和使用临时admin。 
$ oc get scc nginx-ingress-scc -o yaml
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities:
- NET_BIND_SERVICE
fsGroup:
  type: MustRunAs
groups:
- system:authenticated
kind: SecurityContextConstraints
metadata:
  creationTimestamp: "2020-09-29T04:19:43Z"
  generation: 5
  managedFields:
  - apiVersion: security.openshift.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:allowHostDirVolumePlugin: {}
      f:allowHostIPC: {}
      f:allowHostNetwork: {}
      f:allowHostPID: {}
      f:allowHostPorts: {}
      f:allowPrivilegeEscalation: {}
      f:allowPrivilegedContainer: {}
      f:allowedCapabilities: {}
      f:defaultAddCapabilities: {}
      f:fsGroup:
        .: {}
        f:type: {}
      f:priority: {}
      f:readOnlyRootFilesystem: {}
      f:requiredDropCapabilities: {}
      f:runAsUser:
        .: {}
        f:type: {}
      f:seLinuxContext:
        .: {}
        f:type: {}
      f:supplementalGroups:
        .: {}
        f:type: {}
      f:users: {}
      f:volumes: {}
    manager: nginx-ingress-operator
    operation: Update
    time: "2020-09-29T04:26:51Z"
  - apiVersion: security.openshift.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:groups: {}
      f:runAsUser:
        f:uid: {}
    manager: oc
    operation: Update
    time: "2020-10-21T23:10:00Z"
  name: nginx-ingress-scc
  resourceVersion: "17079015"
  selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/nginx-ingress-scc
  uid: ffe0c34c-9fe4-4cf6-9d57-eb919c90d42a
priority: 20
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: MustRunAs
  uid: 101
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: MustRunAs
users:
- ingress-nginx:my-nginx-ingress-controller
volumes:
- secret