using kubectl v1.9 on client and server. ubuntu 16.04 server on GCP. I was trying to follow the demo listed on https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ which assigns a security context to a pod when it is created. Pod yaml file is:
apiVersion: v1kind: Podmetadata: name: security-context-demospec: securityContext: runAsUser: 1000 fsGroup: 2000 volumes: - name: sec-ctx-vol emptyDir: {} containers: - name: sec-ctx-demo image: gcr.io/google-samples/node-hello:1.0 volumeMounts: - name: sec-ctx-vol mountPath: /data/demo securityContext: allowPrivilegeEscalation: false problem: pod always crashes and gets restarted many times: *kubectl get pods NAME READY STATUS RESTARTS AGE busybox-855686df5d-2667x 1/1 Running 1 1h security-context-demo 0/1 CrashLoopBackOff 1 12s << this is the problem.* *I tried removing each securityContext section. Crash remains when either securityContext section is present in the yaml file.* *pod describe shows:* *Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 58s default-scheduler Successfully assigned security-context-demo to worker-0 Normal SuccessfulMountVolume 58s kubelet, worker-0 MountVolume.SetUp succeeded for volume "sec-ctx-vol" Normal SuccessfulMountVolume 58s kubelet, worker-0 MountVolume.SetUp succeeded for volume "default-token-ptfl5" Normal Pulled 10s (x4 over 56s) kubelet, worker-0 Container image "gcr.io/google-samples/node-hello:1.0" already present on machine Normal Created 10s (x4 over 56s) kubelet, worker-0 Created container Normal Started 10s (x4 over 56s) kubelet, worker-0 Started container Warning BackOff 9s (x6 over 54s) kubelet, worker-0 Back-off restarting failed container* *Logs in pod say:* *return binding.open(pathModule._makeLong(path), stringToFlags(flags), mode); ^ Error: EACCES: permission denied, open '/server.js' at Error (native) at Object.fs.openSync (fs.js:549:18) at Object.fs.readFileSync (fs.js:397:15) at Object.Module._extensions..js (module.js:415:20) at Module.load (module.js:343:32) at Function.Module._load (module.js:300:12) at Function.Module.runMain (module.js:441:10) at startup (node.js:139:18) at node.js:968:3* *If I remove both securityContext sections, pod runs normally.* *So does the runAsUser function work or not? * *How to specify the securityContext and avoid the crash?* -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.