kubernetes PodSecurityPolicy设置为runAsNonRoot,容器具有runAsNonRoot,图像具有非数字用户(appuser),无法验证用户是否为非根用户
kubernetes PodSecurityPolicy设置为runAsNonRoot,Pod未在获取错误后启动错误:容器具有runAsNonRoot且映像具有非数字用户(appuser),无法验证用户是否为非根用户 我们正在docker容器中创建用户(appuser)uid->999和组(appgroup)gid->999,并使用该用户启动容器 但是豆荚的制造是错误的kubernetes PodSecurityPolicy设置为runAsNonRoot,容器具有runAsNonRoot,图像具有非数字用户(appuser),无法验证用户是否为非根用户,kubernetes,kubernetes-security,Kubernetes,Kubernetes Security,kubernetes PodSecurityPolicy设置为runAsNonRoot,Pod未在获取错误后启动错误:容器具有runAsNonRoot且映像具有非数字用户(appuser),无法验证用户是否为非根用户 我们正在docker容器中创建用户(appuser)uid->999和组(appgroup)gid->999,并使用该用户启动容器 但是豆荚的制造是错误的 Events: Type Reason Age
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 53s default-scheduler Successfully assigned app-578576fdc6-nfvcz to appmagent01
Normal SuccessfulMountVolume 52s kubelet, appagent01 MountVolume.SetUp succeeded for volume "default-token-ksn46"
Warning DNSConfigForming 11s (x6 over 52s) kubelet, appagent01 Search Line limits were exceeded, some search paths have been omitted, the applied search line is: app.svc.cluster.local svc.cluster.local cluster.local
Normal Pulling 11s (x5 over 51s) kubelet, appagent01 pulling image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
Normal Pulled 11s (x5 over 51s) kubelet, appagent01 Successfully pulled image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
Warning Failed 11s (x5 over 51s) kubelet, appagent01 Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root
.
以下是验证结果:
case uid == nil && len(username) > 0:
return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root", username)
以下是评论的全文:
// Verify RunAsNonRoot. Non-root verification only supports numeric user.
if err := verifyRunAsNonRoot(pod, container, uid, username); err != nil {
return nil, cleanupAction, err
}
如您所见,在您的案例中,出现该消息的唯一原因是uid==nil
。根据源代码中的注释,我们需要设置一个数字用户值
因此,对于UID=999的用户,您可以在pod定义中执行此操作:
谢谢。安东:信息太多了。。我们将uid设置为999,用户名设置为appuser:)。。当用户成为999后,它工作了:)。。
securityContext:
runAsUser: 999