编辑一个 运行 pod runAsUser 为 1010 作为 root
Editing a running pod runAsUser to 1010 is taken as root
我尝试在 1010 之前编辑 运行ning pod 运行AsUser 但我无法这样做,它保留了 运行 root。我是否需要编辑或删除更多标签才能以用户 1010 的身份正确 运行
但是,如果我从 scrtach 创建 yaml 并将 运行AsUser 放在那里,它就会被正确解释。
运行 下面的代码告诉我用户是 运行 root,但是,我提到它是 1010:
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-sleeper
namespace: default
spec:
securityContext:
runAsUser: 1010
containers:
- command:
- sleep
- "4800"
image: ubuntu
imagePullPolicy: Always
name: ubuntu
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-v9rcc
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
nodeName: node01
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: default-token-v9rcc
secret:
defaultMode: 420
secretName: default-token-v9rcc
运行AsUser
controlplane $ k exec ubuntu-sleeper -- whoami
root
同样,如果我 运行 下面的代码,它告诉我它是 运行 by
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-sleeper
namespace: default
spec:
securityContext:
runAsUser: 1010
containers:
- command:
- sleep
- "4800"
image: ubuntu
name: ubuntu-sleeper
controlplane $ k exec ubuntu-sleeper -- whoami
whoami: cannot find name for user ID 1010
Pod 以 root 身份运行的原因是 securityContext 在 podSpec 中列出了两次。请参阅示例文件的第 7 行和第 30 行。
根据 Kubernetes Github 项目的 this issue,目前,YAML 和 JSON 解析器会自动删除重复键。在您的情况下,Kubernetes 使用第二个安全上下文密钥,即 securityContext: {}.
挺郁闷的,我去过!希望这可以帮助。如果您想跟踪 Kubernetes YAML 解析器的任何更改的状态,请关注 Github 问题,这将使将来更容易检测重复键。
我尝试在 1010 之前编辑 运行ning pod 运行AsUser 但我无法这样做,它保留了 运行 root。我是否需要编辑或删除更多标签才能以用户 1010 的身份正确 运行 但是,如果我从 scrtach 创建 yaml 并将 运行AsUser 放在那里,它就会被正确解释。
运行 下面的代码告诉我用户是 运行 root,但是,我提到它是 1010:
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-sleeper
namespace: default
spec:
securityContext:
runAsUser: 1010
containers:
- command:
- sleep
- "4800"
image: ubuntu
imagePullPolicy: Always
name: ubuntu
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-v9rcc
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
nodeName: node01
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: default-token-v9rcc
secret:
defaultMode: 420
secretName: default-token-v9rcc
运行AsUser
controlplane $ k exec ubuntu-sleeper -- whoami
root
同样,如果我 运行 下面的代码,它告诉我它是 运行 by
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-sleeper
namespace: default
spec:
securityContext:
runAsUser: 1010
containers:
- command:
- sleep
- "4800"
image: ubuntu
name: ubuntu-sleeper
controlplane $ k exec ubuntu-sleeper -- whoami
whoami: cannot find name for user ID 1010
Pod 以 root 身份运行的原因是 securityContext 在 podSpec 中列出了两次。请参阅示例文件的第 7 行和第 30 行。
根据 Kubernetes Github 项目的 this issue,目前,YAML 和 JSON 解析器会自动删除重复键。在您的情况下,Kubernetes 使用第二个安全上下文密钥,即 securityContext: {}.
挺郁闷的,我去过!希望这可以帮助。如果您想跟踪 Kubernetes YAML 解析器的任何更改的状态,请关注 Github 问题,这将使将来更容易检测重复键。