thanks for the help.  the image comes from gcr.io so i posted a request on 
this image over there.

On Friday, February 2, 2018 at 11:52:07 AM UTC-6, R Melton wrote:
>
> using kubectl v1.9 on client and server.
> ubuntu 16.04 server on GCP.
>
> I was trying to follow the demo listed on 
> https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ 
> which assigns a security context to a pod when it is created.
> Pod yaml file is:
>
> apiVersion: v1kind: Podmetadata:
>   name: security-context-demospec:
>   securityContext:
>     runAsUser: 1000
>     fsGroup: 2000
>   volumes:
>   - name: sec-ctx-vol
>     emptyDir: {}
>   containers:
>   - name: sec-ctx-demo
>     image: gcr.io/google-samples/node-hello:1.0
>     volumeMounts:
>     - name: sec-ctx-vol
>       mountPath: /data/demo
>     securityContext:
>       allowPrivilegeEscalation: false
>
> problem: pod always crashes and gets restarted many times:
>
> *kubectl get pods
> NAME                       READY     STATUS             RESTARTS   AGE
> busybox-855686df5d-2667x   1/1       Running            1          1h
> security-context-demo      0/1       CrashLoopBackOff   1          12s   << 
> this is the problem.*
>
> *I tried removing each securityContext section. Crash remains when either 
> securityContext section is present in the yaml file.*
>
> *pod describe shows:*
>
> *Events:
>   Type     Reason                 Age                From               
> Message
>   ----     ------                 ----               ----               
> -------
>   Normal   Scheduled              58s                default-scheduler  
> Successfully assigned security-context-demo to worker-0
>   Normal   SuccessfulMountVolume  58s                kubelet, worker-0  
> MountVolume.SetUp succeeded for volume "sec-ctx-vol"
>   Normal   SuccessfulMountVolume  58s                kubelet, worker-0  
> MountVolume.SetUp succeeded for volume "default-token-ptfl5"
>   Normal   Pulled                 10s (x4 over 56s)  kubelet, worker-0  
> Container image "gcr.io/google-samples/node-hello:1.0 
> <http://gcr.io/google-samples/node-hello:1.0>" already present on machine
>   Normal   Created                10s (x4 over 56s)  kubelet, worker-0  
> Created container
>   Normal   Started                10s (x4 over 56s)  kubelet, worker-0  
> Started container
>   Warning  BackOff                9s (x6 over 54s)   kubelet, worker-0  
> Back-off restarting failed container*
>
>
> *Logs in pod say:*
>
> *return binding.open(pathModule._makeLong(path), stringToFlags(flags), mode);
>                  ^
>
> Error: EACCES: permission denied, open '/server.js'
>     at Error (native)
>     at Object.fs.openSync (fs.js:549:18)
>     at Object.fs.readFileSync (fs.js:397:15)
>     at Object.Module._extensions..js (module.js:415:20)
>     at Module.load (module.js:343:32)
>     at Function.Module._load (module.js:300:12)
>     at Function.Module.runMain (module.js:441:10)
>     at startup (node.js:139:18)
>     at node.js:968:3*
>
>
> *If I remove both securityContext sections, pod runs normally.*
>
> *So does the runAsUser function work or not?  *
>
> *How to specify the securityContext and avoid the crash?*
>
>
>
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to kubernetes-users+unsubscr...@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

Reply via email to