5

I do understand drawbacks of doing this, however I have image that will work only with root user running cmd within it.

Server kubernetes version is: v1.19.14. Inside my deployment.yaml I have:

spec:
  containers:
    - name: myapp
      securityContext:
        allowPrivilegeEscalation: false
        runAsUser: 0
      command: ...
      image:...

But when I describe rs I see following:

  Type     Reason        Age                From                   Message
  ----     ------        ----               ----                   -------
  Warning  FailedCreate  0s (x13 over 21s)  replicaset-controller  Error creating: pods "myapp-7cdd994c56-" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.containers[0].securityContext.runAsUser: Invalid value: 0: running with the root UID is forbidden]

What do I do wrong?

Rudziankoŭ
  • 10,681
  • 20
  • 92
  • 192
  • Try creating a ad-hoc pod(without replicaset or deployment) with same image and security context as you posted above. If this work, but not with rs/deployment then it means ,your the rs controller is not having proper rolebinding to work with psp. Try creating a role binding to use the psp for the default SA of your namespace. – P.... Aug 29 '21 at 05:27
  • @P...., I run into the same issue when test it against pure Pod. – Rudziankoŭ Aug 29 '21 at 12:57
  • @Rudziankoŭ How is cluster set up? Is it cloud or on-prem? Also are there any `PodSecurityPolicy`s? Can be checked with `kubectl get PodSecurityPolicy` – moonkotte Aug 31 '21 at 14:02

1 Answers1

0

The error message says:

PodSecurityPolicy: unable to admit pod: [spec.containers[0].securityContext.runAsUser: Invalid value: 0: running with the root UID is forbidden]

Pod Security Policy is defined in the documentation as:

[...] a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system [...]

You are using a cluster for which the Pod Security Policy forbids the use of root containers (See Pod Security Policy - Users and Groups)

You have to change the Pod Security Policy yourself or ask your cluster administrator to do so.

Note that:

PodSecurityPolicy is deprecated as of Kubernetes v1.21, and will be removed in v1.25.

Ortomala Lokni
  • 56,620
  • 24
  • 188
  • 240