Kubernetes安全上下文runAsUser 1000从何而来?
我了解到,要将容器作为无根运行,您需要指定SecurityContext:runAsUser 1000或在DOCKERFILE中指定用户指令。
这方面的问题是,Kubernetes/Docker主机系统本身没有UID 1000。
在此之前,我了解到Linux用户命名空间允许用户在原始NS之外拥有不同的UID。
因此,UID 1000在引擎盖下是如何存在的?原始根(UID 0)是否在容器中创建了一个由UID 1000表示的新用户名称空间?
如果我们指定UID 2000,会发生什么情况?
回答 2
Stack Overflow用户
发布于 2022-08-15 10:40:20
希望这个答案对你有帮助。
我了解到要将容器作为无根运行,需要指定SecurityContext:runAsUser 1000或在DOCKERFILE中指定用户指令
除了在runAsUser: 1000,你是正确的。您可以指定任何UID,而不仅仅是1000。记住您想使用的任何UID (runAsUser: UID),UID应该已经存在了!
通常,基本映像将已经创建和可用用户,但让开发或部署团队来利用它。例如,正式的Node.js映像附带了一个用户名为1000的节点,您可以以它的身份运行它,但它们不会在其Dockerfile中显式地将当前用户设置为节点。我们要么需要在运行时使用runAsUser设置配置它,要么使用derivative Dockerfile更改映像中的当前用户。
runAsUser: 1001 # hardcode user to non-root if not set in Dockerfile
runAsGroup: 1001 # hardcode group to non-root if not set in Dockerfile
runAsNonRoot: true # hardcode to non-root. Redundant to above if Dockerfile is set USER 1000请记住,runAsUser和runAsGroup 确保容器进程不会以root用户的身份运行,而不依赖于runAsUser或runAsGroup设置来保证这一点。确保还设置了runAsNonRoot: true。
下面是securityContext的完整示例
# generic pod spec that's usable inside a deployment or other higher level k8s spec
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
# basic container details
- name: my-container-name
# never use reusable tags like latest or stable
image: my-image:tag
# hardcode the listening port if Dockerfile isn't set with EXPOSE
ports:
- containerPort: 8080
protocol: TCP
readinessProbe: # I always recommend using these, even if your app has no listening ports (this affects any rolling update)
httpGet: # Lots of timeout values with defaults, be sure they are ideal for your workload
path: /ready
port: 8080
livenessProbe: # only needed if your app tends to go unresponsive or you don't have a readinessProbe, but this is up for debate
httpGet: # Lots of timeout values with defaults, be sure they are ideal for your workload
path: /alive
port: 8080
resources: # Because if limits = requests then QoS is set to "Guaranteed"
limits:
memory: "500Mi" # If container uses over 500MB it is killed (OOM)
#cpu: "2" # Not normally needed, unless you need to protect other workloads or QoS must be "Guaranteed"
requests:
memory: "500Mi" # Scheduler finds a node where 500MB is available
cpu: "1" # Scheduler finds a node where 1 vCPU is available
# per-container security context
# lock down privileges inside the container
securityContext:
allowPrivilegeEscalation: false # prevent sudo, etc.
privileged: false # prevent acting like host root
terminationGracePeriodSeconds: 600 # default is 30, but you may need more time to gracefully shutdown (HTTP long polling, user uploads, etc)
# per-pod security context
# enable seccomp and force non-root user
securityContext:
seccompProfile:
type: RuntimeDefault # enable seccomp and the runtimes default profile
runAsUser: 1001 # hardcode user to non-root if not set in Dockerfile
runAsGroup: 1001 # hardcode group to non-root if not set in Dockerfile
runAsNonRoot: true # hardcode to non-root. Redundant to above if Dockerfile is set USER 1000资料来源:
Stack Overflow用户
发布于 2022-08-15 11:07:59
容器层的东西用数字用户ID调用(2)系统调用。没有特殊的“创建”用户的要求;如果您完全能够调用setuid(),您可以用任何数字uid调用它。
您可以很容易地用“普通码头工人”演示这一点。docker run -u选项接受任何数字uid,您可以使用docker run -u 2000,您的容器(很可能)仍将运行。对于docker run -u $(id -u)来说,即使容器的/etc/passwd文件中不存在uid,运行具有与宿主用户相同的数字用户ID的容器也是很常见的。
在Kubernetes层,这种情况并不常见。容器无法有效地访问集群环境中的主机文件(...on,哪个主机?)如果图像已经设置了一个非根用户ID,您应该可以使用它,而不需要在Kubernetes层设置它。
https://stackoverflow.com/questions/73358804
复制相似问题
腾讯云开发者
