pod crashes when secuityContext used.

[R Melton]

using kubectl v1.9 on client and server.

ubuntu 16.04 server on GCP.

I was trying to follow the demo listed on https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ which assigns a security context to a pod when it is created.

Pod yaml file is:

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    fsGroup: 2000
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: gcr.io/google-samples/node-hello:1.0
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: false

problem: pod always crashes and gets restarted many times:

kubectl get pods
NAME                       READY     STATUS             RESTARTS   AGE
busybox-855686df5d-2667x   1/1       Running            1          1h
security-context-demo      0/1       CrashLoopBackOff   1          12s   << this is the problem.

I tried removing each securityContext section. Crash remains when either securityContext section is present in the yaml file.

pod describe shows:

Events:
  Type     Reason                 Age                From               Message
  ----     ------                 ----               ----               -------
  Normal   Scheduled              58s                default-scheduler  Successfully assigned security-context-demo to worker-0
  Normal   SuccessfulMountVolume  58s                kubelet, worker-0  MountVolume.SetUp succeeded for volume "sec-ctx-vol"
  Normal   SuccessfulMountVolume  58s                kubelet, worker-0  MountVolume.SetUp succeeded for volume "default-token-ptfl5"
  Normal   Pulled                 10s (x4 over 56s)  kubelet, worker-0  Container image "gcr.io/google-samples/node-hello:1.0" already present on machine
  Normal   Created                10s (x4 over 56s)  kubelet, worker-0  Created container
  Normal   Started                10s (x4 over 56s)  kubelet, worker-0  Started container
  Warning  BackOff                9s (x6 over 54s)   kubelet, worker-0  Back-off restarting failed container




Logs in pod say:

return binding.open(pathModule._makeLong(path), stringToFlags(flags), mode);
                 ^

Error: EACCES: permission denied, open '/server.js'
    at Error (native)
    at Object.fs.openSync (fs.js:549:18)
    at Object.fs.readFileSync (fs.js:397:15)
    at Object.Module._extensions..js (module.js:415:20)
    at Module.load (module.js:343:32)
    at Function.Module._load (module.js:300:12)
    at Function.Module.runMain (module.js:441:10)
    at startup (node.js:139:18)
    at node.js:968:3




If I remove both securityContext sections, pod runs normally.

So does the runAsUser function work or not?  

How to specify the securityContext and avoid the crash?




[Tim Hockin]

It looks like that file is not readable by a non-root user. You're
volunteering to lower your privileges, but you need to account for
that in the image. If this is a custom image, chmod ugo+r that file?
If it is a pre-built image, yell at whoever built it.

> --
> You received this message because you are subscribed to the Google Groups
> "Kubernetes user discussion and Q&A" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kubernetes-use...@googlegroups.com.
> To post to this group, send email to kubernet...@googlegroups.com.
> Visit this group at https://groups.google.com/group/kubernetes-users.
> For more options, visit https://groups.google.com/d/optout.

[R Melton]

thanks for the help.  the image comes from gcr.io so i posted a request on this image over there.

[R Melton]

I later went back and created a new image file (on docker) and reran the runAsUser (and fsGroup) yaml file and it worked correctly.

On Friday, February 2, 2018 at 11:52:07 AM UTC-6, R Melton wrote:

[Tim Hockin]

Thanks for the followup!