1

I have a yaml file for creating k8s pod with just one container. Is it possible to pre-add an username and its password from yaml file during k8s pod creation?

I searched many sites and found the env variable. However, I could not make the pod as my wish. The pod's status is always showing Crashoff after pod creation.

Is it possible to pre-add an username and its password from yaml file during k8s pod creation?

Following are my yaml file:

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: centos610-sp-v1
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: centos610-sp-v1
    spec:
      containers:
      - name: centos610-pod-v1
        image: centos-done:6.10
        env:
        - name: SSH_USER
          value: "user1"
        - name: SSH_SUDO
          value: "ALL=(ALL) NOPASSWD:ALL"
        - name: PASSWORD
          value: "password"
        command: ["/usr/sbin/useradd"]
        args: ["$(SSH_USER)"]
        ports:
        - containerPort: 22
        resources:
          limits:
            cpu: "500m"
            memory: "1G"
---
apiVersion: v1
kind: Service
metadata:
  name: centos610-sp-v1
  labels:
    app: centos610-sp-v1
spec:
  selector:
    app: centos610-sp-v1
  ports:
  - port: 22
    protocol: TCP
    nodePort: 31022
  type: NodePort
---

Should I use specific command as 

env:
- name: MESSAGE
  value: "hello world"
command: ["/bin/echo"]
args: ["$(MESSAGE)"]

or 

command: ["/bin/sh"]
args: ["-c", "while true; do echo hello; sleep 10;done"]

pod's status after get

root@zero:~/k8s-temp# kubectl get pod
NAME                               READY     STATUS             RESTARTS   AGE
centos610-sp-v1-6689c494b8-nb9kv   0/1       CrashLoopBackOff   5          3m

pod's status after describe

root@zero:~/k8s-temp# kubectl describe pod centos610-sp-v1-6689c494b8-nb9kv 
Name:           centos610-sp-v1-6689c494b8-nb9kv
Namespace:      default
Node:           zero/10.111.33.15
Start Time:     Sat, 16 Mar 2019 01:16:59 +0800
Labels:         app=centos610-sp-v1
                pod-template-hash=2245705064
Annotations:    <none>
Status:         Running
IP:             10.233.127.104
Controlled By:  ReplicaSet/centos610-sp-v1-6689c494b8
Containers:
  centos610-pod-v1:
    Container ID:  docker://5fa076c5d245dd532ef7ce724b94033d93642dc31965ab3fbde61dd59bf7d314
    Image:         centos-done:6.10
    Image ID:      docker://sha256:26362e9cefe4e140933bf947e3beab29da905ea5d65f27fc54513849a06d5dd5
    Port:          22/TCP
    Host Port:     0/TCP
    Command:
      /usr/sbin/useradd
    Args:
      $(SSH_USER)
    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Sat, 16 Mar 2019 01:17:17 +0800
      Finished:     Sat, 16 Mar 2019 01:17:17 +0800
    Last State:     Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Sat, 16 Mar 2019 01:17:01 +0800
      Finished:     Sat, 16 Mar 2019 01:17:01 +0800
    Ready:          False
    Restart Count:  2
    Limits:
      cpu:     500m
      memory:  1G
    Requests:
      cpu:     500m
      memory:  1G
    Environment:
      SSH_USER:  user1
      SSH_SUDO:  ALL=(ALL) NOPASSWD:ALL
      PASSWORD:  password
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-qbd8x (ro)
Conditions:
  Type           Status
  Initialized    True 
  Ready          False 
  PodScheduled   True 
Volumes:
  default-token-qbd8x:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-qbd8x
    Optional:    false
QoS Class:       Guaranteed
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type     Reason                 Age               From               Message
  ----     ------                 ----              ----               -------
  Normal   Scheduled              22s               default-scheduler  Successfully assigned centos610-sp-v1-6689c494b8-nb9kv to zero
  Normal   SuccessfulMountVolume  22s               kubelet, zero      MountVolume.SetUp succeeded for volume "default-token-qbd8x"
  Normal   Pulled                 5s (x3 over 21s)  kubelet, zero      Container image "centos-done:6.10" already present on machine
  Normal   Created                5s (x3 over 21s)  kubelet, zero      Created container
  Normal   Started                4s (x3 over 21s)  kubelet, zero      Started container
  Warning  BackOff                4s (x3 over 19s)  kubelet, zero      Back-off restarting failed container

2019/03/18 UPDATE

Although pre-add username and password from pod's yaml is not suggested but I just want to clarify how to use command & args from yaml file. Finally, I use following yaml file to create a username "user1" and its password "1234" successfully. Thank you all of you guys' great answer to make me more familiar with k8s about configMap, RBAC, container's behavior.

Actually, this link gave me a reference on how to use command & args

How to set multiple commands in one yaml file with Kubernetes?

Here are my final yaml file content:

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: centos610-sp-v1
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: centos610-sp-v1
    spec:
      containers:
      - name: centos610-pod-v1
        image: centos-done:6.10
        env:
        - name: SSH_USER
          value: "user1"
        - name: SSH_SUDO
          value: "ALL=(ALL) NOPASSWD:ALL"
        - name: PASSWORD
          value: "password"
        command: ["/bin/bash", "-c"]
        args: ["useradd $(SSH_USER); service sshd restart; echo $(SSH_USER):1234 | chpasswd; tail -f /dev/null"]
        ports:
        - containerPort: 22
        resources:
          limits:
            cpu: "500m"
            memory: "1G"
---
apiVersion: v1
kind: Service
metadata:
  name: centos610-sp-v1
  labels:
    app: centos610-sp-v1
spec:
  selector:
    app: centos610-sp-v1
  ports:
  - port: 22
    protocol: TCP
    nodePort: 31022
  type: NodePort
---
Spark1231
  • 45
  • 1
  • 6
  • what do you want to achieve adding a user to a container? – c4f4t0r Mar 15 '19 at 15:22
  • For example, this container will provide to my colleague/customer and they prefer their dedicated username and password. That's is why I want to add a username and password – Spark1231 Mar 15 '19 at 15:28
  • but a container is not server, you need to configure rbac in kubernetes and give them access to this deployment – c4f4t0r Mar 15 '19 at 15:30
  • That's not how containers are supposed to be used. You seem to be wanting to use container as a VM. Anyway, their is no SSH daemon running in the container, so I don't know what you get out of this. – vjdhama Mar 15 '19 at 15:30
  • @vjdhama Hi thank you for your answer. Actually, there is SSH daemon under my yaml. Sorry for that I did not provide all of them. I have posted other part. – Spark1231 Mar 15 '19 at 15:34
  • @c4f4t0r has pointed rightly. SSH is not the right way to give access to container on K8s env. You need to create service accounts for you colleagues/customers and give them access to Deployments resources etc. You can read up more here : https://kubernetes.io/docs/reference/access-authn-authz/rbac/ – vjdhama Mar 15 '19 at 15:37
  • 1
    You're role in RBAC could look something like this ```kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace: default name: pod-reader rules: - apiGroups: [""] resources: ["pods", "pods/log"] verbs: ["get", "list"] - apiGroups: [""] resources: ["pods/exec"] verbs: ["create"]``` – vjdhama Mar 15 '19 at 15:38
  • Thanks you two guys. Although RBAC is a good way to control access privilege for container. But is there no way to achieve adding a user to a container from yaml file? – Spark1231 Mar 15 '19 at 15:41
  • Can you share what the reason for the Crashoff is? The biggest issue I see with this yaml is the fact that your container will run the useradd, and then simply exit because it has completed its process. You should consider creating your own image with this user creation built in. – Frank Yucheng Gu Mar 15 '19 at 16:03
  • @FrankYuchengGu Hi Frank, I have posted the message after get/describe that pod. Could you point out where I might be wrong? – Spark1231 Mar 15 '19 at 17:27
  • @Spark1231 yep this looks exactly like the situation I was describing. Simply put, your container is a singular process (in your case "useradd"). Once that process has finished running (the user was indeed added to the container system), the process is completed. You can see that there were no errors in the runtime since the exit code is 0. However, Kubernetes will try to restart the pod after it completes and after a few restarts it goes into the BackOff mode. If you simply want to add a user, you should create your custom image and pull from that image. – Frank Yucheng Gu Mar 15 '19 at 19:05
  • @FrankYuchengGu Hi Frank, thank you so much about your explanation. I think I get better understanding for container. If you have any better references(blogs) for k8s beginner, hope you can provide it to me. Thanks again. – Spark1231 Mar 16 '19 at 13:09
  • @Spark1231Anytime! This problem, however, is rooted in your understanding of containers and how they are used. There are tons of great blogs about "docker container internals"; just google and read away. If you deeply understand what are containers and how they work, you will find Kubernetes to be a powerful battle axe rather than a double-bladed sword. – Frank Yucheng Gu Mar 16 '19 at 15:04

3 Answers3

2

Keep username and password in a configMap or in a secret object. Load those values into container as environment variables

Follow the reference https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/

P Ekambaram
  • 15,499
  • 7
  • 34
  • 59
0

If you want to add the user anyway , regardless of the fact that you can achive the same thing using A kubernetes native way , then Please setup your user in the Docker image ( Dockerfile and then build it) instead.

Hope this helps.

Ijaz Ahmad
  • 11,198
  • 9
  • 53
  • 73
0

2019/03/18 UPDATE

Although pre-add username and password from pod's yaml is not suggested but I just want to clarify how to use command & args from yaml file. Finally, I use following yaml file to create a username "user1" and its password "1234" successfully. Thank you all of you guys' great answer to make me more familiar with k8s about configMap, RBAC, container's behavior.

Actually, this link gave me a reference on how to use command & args

How to set multiple commands in one yaml file with Kubernetes?

Here are my final yaml file content:

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: centos610-sp-v1
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: centos610-sp-v1
    spec:
      containers:
      - name: centos610-pod-v1
        image: centos-done:6.10
        env:
        - name: SSH_USER
          value: "user1"
        - name: SSH_SUDO
          value: "ALL=(ALL) NOPASSWD:ALL"
        - name: PASSWORD
          value: "password"
        command: ["/bin/bash", "-c"]
        args: ["useradd $(SSH_USER); service sshd restart; echo $(SSH_USER):1234 | chpasswd; tail -f /dev/null"]
        ports:
        - containerPort: 22
        resources:
          limits:
            cpu: "500m"
            memory: "1G"
---
apiVersion: v1
kind: Service
metadata:
  name: centos610-sp-v1
  labels:
    app: centos610-sp-v1
spec:
  selector:
    app: centos610-sp-v1
  ports:
  - port: 22
    protocol: TCP
    nodePort: 31022
  type: NodePort
---
Spark1231
  • 45
  • 1
  • 6