7

I have added a security context in my pod which looks as follows:

spec:
  securityContext:
    runAsNonRoot: true

While running the pod I am getting error message (kubectl get pod pod-name -o=yaml):

container has runAsNonRoot and image has non-numeric user (default), cannot verify user is non-root

The message is intuitive but, after reading this kubernetes blog it seems to me it should be very straight forward, what I am missing here?

Community
  • 1
  • 1
Vishrant
  • 15,456
  • 11
  • 71
  • 120

3 Answers3

17

This error comes only when your uid == nil,. Based on the error text, we need to set a numeric user value.

So, for the user with UID=1000 you can do it in your pod definition like:

securityContext:
  runAsUser: 1000

So your securityContext should be like:

securityContext:
  fsGroup: 2000
  runAsNonRoot: true
  runAsUser: 1000

Checkout it in official docs here

Prafull Ladha
  • 12,341
  • 2
  • 37
  • 58
  • but the pod should have the user with `UID` 999? – Vishrant Dec 27 '18 at 18:49
  • also I did saw this property `spec: runAsUser: rule: MustRunAsNonRoot` will this help to run container as non-root? – Vishrant Dec 27 '18 at 18:51
  • This is the linux user uid. If you want to run pod as a centos user in your linux system, you need to provide uid of centos user. You can find uid using `id -u ` – Prafull Ladha Dec 27 '18 at 19:05
  • yes, I am using centos, if you mean to login into `pod` and get the user id then it won't be feasible I am using HELM to provide the securityContext and at the moment of deployment I don't know if the `pod` will have that user id or not. – Vishrant Dec 27 '18 at 19:10
  • but seems like `MustRunAsNonRoot` works. as per the code of `kubernetes` https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/policy/types.go#L368 – Vishrant Dec 27 '18 at 19:11
  • But you still need to provide the uid. Could you please replace the security context in my answer to your pod spec. It should work. UID=1000 shows that you want to run as non root with uid 1000. – Prafull Ladha Dec 27 '18 at 19:14
  • yup, I did that, and it worked. Thought I am thinking whats the difference between running as `MustRunAsNonRoot` (as in my answer) and `runAsNonRoot: true` – Vishrant Dec 27 '18 at 19:24
  • This is what official doc says `MustRunAsNonRoot - Requires that the pod be submitted with a non-zero runAsUser or have the USER directive defined (using a numeric UID) in the image. No default provided. Setting allowPrivilegeEscalation=false is strongly recommended with this strategy.` – Prafull Ladha Dec 27 '18 at 19:31
  • An interesting link to go over https://docs.bitnami.com/kubernetes/how-to/secure-kubernetes-cluster-psp/ Hope this clarifies some fog over it :) – Prafull Ladha Dec 27 '18 at 19:35
  • Thanks Prafull, that link was helpful, I understand from the link that image should have a user that is non-root, and that is restricted by providing `MustRunAsNonRoot` – Vishrant Dec 27 '18 at 19:46
1

Adding this to the Dockerfile solved my issue

USER 9000:9000
so-random-dude
  • 15,277
  • 10
  • 68
  • 113
0

You can add the securityContext as follows:

spec:
  runAsUser:
    rule: MustRunAsNonRoot
  containers:
    - name: <container-name>

This can be confirmed with Kubernetes code

Vishrant
  • 15,456
  • 11
  • 71
  • 120
  • This is not the `securityContext` but a `PodSecurityPolicy` that you are referring to. Did this solve your problem? – Rico Dec 27 '18 at 21:54
  • not really, it disabled privilege escalation but not sure if the container was running as non-root user. – Vishrant Dec 27 '18 at 23:05