Menu
kubernetes PodSecurityPolicy set to runAsNonRoot, pods are not getting started post that Getting error Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root
We are creating the user (appuser) uid -> 999 and group (appgroup) gid -> 999 in the docker container, and we are starting the container with that user.
But the pod creating is throwing error.
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 53s default-scheduler Successfully assigned app-578576fdc6-nfvcz to appmagent01
Normal SuccessfulMountVolume 52s kubelet, appagent01 MountVolume.SetUp succeeded for volume "default-token-ksn46"
Warning DNSConfigForming 11s (x6 over 52s) kubelet, appagent01 Search Line limits were exceeded, some search paths have been omitted, the applied search line is: app.svc.cluster.local svc.cluster.local cluster.local
Normal Pulling 11s (x5 over 51s) kubelet, appagent01 pulling image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
Normal Pulled 11s (x5 over 51s) kubelet, appagent01 Successfully pulled image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
Warning Failed 11s (x5 over 51s) kubelet, appagent01 Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root
.
564
The Kubernetes Pod SecurityContext provides two options runAsNonRoot and runAsUser to enforce non root users. You can use both options separate from each other because they test for different configurations. When you set runAsNonRoot: true you require that the container will run with a user with any UID other than 0.
If you want a pod to send requests directly to service resource you have to change pod's dnsPolicy to ClusterFirstWithHostNet . It should be used explicitly for pods running with hostNetwork: true . This way it will use cluster DNS and will be in host network.
runAsUser: 1000 means all containers in the pod will run as user UID 1000. fsGroup: 2000 means the owner for mounted volumes and any files created in that volume will be GID 2000.
Here is the implementation of the verification:
case uid == nil && len(username) > 0:
return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root", username)
And here is the validation call with the comment:
// Verify RunAsNonRoot. Non-root verification only supports numeric user.
if err := verifyRunAsNonRoot(pod, container, uid, username); err != nil {
return nil, cleanupAction, err
}
As you can see, the only reason of that messages in your case is uid == nil. Based on the comment in the source code, we need to set a numeric user value.
So, for the user with UID=999 you can do it in your pod definition like that:
securityContext:
runAsUser: 999
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
