33

kubernetes PodSecurityPolicy set to runAsNonRoot, pods are not getting started post that Getting error Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root

We are creating the user (appuser) uid -> 999 and group (appgroup) gid -> 999 in the docker container, and we are starting the container with that user.

But the pod creating is throwing error.

    Events:
      Type     Reason                 Age                From                           Message
      ----     ------                 ----               ----                           -------
      Normal   Scheduled              53s                default-scheduler              Successfully assigned app-578576fdc6-nfvcz to appmagent01
      Normal   SuccessfulMountVolume  52s                kubelet, appagent01  MountVolume.SetUp succeeded for volume "default-token-ksn46"
      Warning  DNSConfigForming       11s (x6 over 52s)  kubelet, appagent01  Search Line limits were exceeded, some search paths have been omitted, the applied search line is: app.svc.cluster.local svc.cluster.local cluster.local 
      Normal   Pulling                11s (x5 over 51s)  kubelet, appagent01  pulling image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
      Normal   Pulled                 11s (x5 over 51s)  kubelet, appagent01  Successfully pulled image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
      Warning  Failed                 11s (x5 over 51s)  kubelet, appagent01  Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root

.
user1819071
  • 605
  • 1
  • 9
  • 17

2 Answers2

46

Here is the implementation of the verification:

case uid == nil && len(username) > 0:
    return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root", username)

And here is the validation call with the comment:

// Verify RunAsNonRoot. Non-root verification only supports numeric user.
if err := verifyRunAsNonRoot(pod, container, uid, username); err != nil {
    return nil, cleanupAction, err
}

As you can see, the only reason of that messages in your case is uid == nil. Based on the comment in the source code, we need to set a numeric user value.

So, for the user with UID=999 you can do it in your pod definition like that:

securityContext:
    runAsUser: 999
Anton Kostenko
  • 8,200
  • 2
  • 30
  • 37
  • Thanks a lot. Anton so much for the information.. We were setting uid as 999 and username as our appuser :) .. After taking user as 999, it worked :) .. – user1819071 Apr 09 '18 at 18:38
  • I assume that the user in the Dockerfile should also be set to non-numeric i.e. USER 999? – Banoona Oct 05 '21 at 17:24
  • 1
    I dont think you need the Dockerfile to set to a non-numeric. I ran a 3rd party image which had "USER nonroot:nonroot" with "runAsUser: 65533" (the uid I chose i arbitrary) on kube and it works. – kiran01bm Oct 13 '21 at 06:48
  • 3
    I think it's also worth noting that using `securityContext.runAsUser` overrides the Dockerfile's default `USER` directive. The fix could also be as simple as using `USER 999` instead of `USER appuser`. With that you don't need to override the value from the outside at all. The reason for the error is that using a named user depends on the values in `/etc/passwd`, which could a 0 (root) user id for any named user and k8s can't be sure about that. – tlwhitec Dec 09 '22 at 13:04
-1

Here is what worked for me. On the route.yml file change spec.host value the right level where the cluster allows you to have the permissions. In my case it was:

from:

maximo-lab.domain.com

to:

maximo-lab.subdomain.domain.com

I also checked this article on Redhat which didn't have the answer that worked for me. It may have the answer for others. https://developers.redhat.com/blog/2020/10/26/adapting-docker-and-kubernetes-containers-to-run-on-red-hat-openshift-container-platform#how_to_debug_issues

Carlos Ferreira
  • 1,980
  • 2
  • 14
  • 18
  • how is that related to the Q? – Tilo Jul 21 '23 at 18:24
  • The point is you may have improperly set your host name. So double check your host name. As if it is wrong it will fail. In my case I was getting the same exact error message I correct hostname and it worked. – Carlos Ferreira Jul 26 '23 at 11:43