using kubectl v1.9 on client and server.
ubuntu 16.04 server on GCP.
I was trying to follow the demo listed
on https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
which assigns a security context to a pod when it is created.
Pod yaml file is:
apiVersion: v1kind: Podmetadata:
name: security-context-demospec:
securityContext:
runAsUser: 1000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: gcr.io/google-samples/node-hello:1.0
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
problem: pod always crashes and gets restarted many times:
*kubectl get pods
NAME READY STATUS RESTARTS AGE
busybox-855686df5d-2667x 1/1 Running 1 1h
security-context-demo 0/1 CrashLoopBackOff 1 12s <<
this is the problem.*
*I tried removing each securityContext section. Crash remains when either
securityContext section is present in the yaml file.*
*pod describe shows:*
*Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 58s default-scheduler
Successfully assigned security-context-demo to worker-0
Normal SuccessfulMountVolume 58s kubelet, worker-0
MountVolume.SetUp succeeded for volume "sec-ctx-vol"
Normal SuccessfulMountVolume 58s kubelet, worker-0
MountVolume.SetUp succeeded for volume "default-token-ptfl5"
Normal Pulled 10s (x4 over 56s) kubelet, worker-0
Container image "gcr.io/google-samples/node-hello:1.0" already present on
machine
Normal Created 10s (x4 over 56s) kubelet, worker-0 Created
container
Normal Started 10s (x4 over 56s) kubelet, worker-0 Started
container
Warning BackOff 9s (x6 over 54s) kubelet, worker-0
Back-off restarting failed container*
*Logs in pod say:*
*return binding.open(pathModule._makeLong(path), stringToFlags(flags), mode);
^
Error: EACCES: permission denied, open '/server.js'
at Error (native)
at Object.fs.openSync (fs.js:549:18)
at Object.fs.readFileSync (fs.js:397:15)
at Object.Module._extensions..js (module.js:415:20)
at Module.load (module.js:343:32)
at Function.Module._load (module.js:300:12)
at Function.Module.runMain (module.js:441:10)
at startup (node.js:139:18)
at node.js:968:3*
*If I remove both securityContext sections, pod runs normally.*
*So does the runAsUser function work or not? *
*How to specify the securityContext and avoid the crash?*
--
You received this message because you are subscribed to the Google Groups
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to kubernetes-users+unsubscr...@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.
