I later went back and created a new image file (on docker) and reran the runAsUser (and fsGroup) yaml file and it worked correctly.
On Friday, February 2, 2018 at 11:52:07 AM UTC-6, R Melton wrote: > > using kubectl v1.9 on client and server. > ubuntu 16.04 server on GCP. > > I was trying to follow the demo listed on > https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ > which assigns a security context to a pod when it is created. > Pod yaml file is: > > apiVersion: v1kind: Podmetadata: > name: security-context-demospec: > securityContext: > runAsUser: 1000 > fsGroup: 2000 > volumes: > - name: sec-ctx-vol > emptyDir: {} > containers: > - name: sec-ctx-demo > image: gcr.io/google-samples/node-hello:1.0 > volumeMounts: > - name: sec-ctx-vol > mountPath: /data/demo > securityContext: > allowPrivilegeEscalation: false > > problem: pod always crashes and gets restarted many times: > > *kubectl get pods > NAME READY STATUS RESTARTS AGE > busybox-855686df5d-2667x 1/1 Running 1 1h > security-context-demo 0/1 CrashLoopBackOff 1 12s << > this is the problem.* > > *I tried removing each securityContext section. Crash remains when either > securityContext section is present in the yaml file.* > > *pod describe shows:* > > *Events: > Type Reason Age From > Message > ---- ------ ---- ---- > ------- > Normal Scheduled 58s default-scheduler > Successfully assigned security-context-demo to worker-0 > Normal SuccessfulMountVolume 58s kubelet, worker-0 > MountVolume.SetUp succeeded for volume "sec-ctx-vol" > Normal SuccessfulMountVolume 58s kubelet, worker-0 > MountVolume.SetUp succeeded for volume "default-token-ptfl5" > Normal Pulled 10s (x4 over 56s) kubelet, worker-0 > Container image "gcr.io/google-samples/node-hello:1.0 > <http://gcr.io/google-samples/node-hello:1.0>" already present on machine > Normal Created 10s (x4 over 56s) kubelet, worker-0 > Created container > Normal Started 10s (x4 over 56s) kubelet, worker-0 > Started container > Warning BackOff 9s (x6 over 54s) kubelet, worker-0 > Back-off restarting failed container* > > > *Logs in pod say:* > > *return binding.open(pathModule._makeLong(path), stringToFlags(flags), mode); > ^ > > Error: EACCES: permission denied, open '/server.js' > at Error (native) > at Object.fs.openSync (fs.js:549:18) > at Object.fs.readFileSync (fs.js:397:15) > at Object.Module._extensions..js (module.js:415:20) > at Module.load (module.js:343:32) > at Function.Module._load (module.js:300:12) > at Function.Module.runMain (module.js:441:10) > at startup (node.js:139:18) > at node.js:968:3* > > > *If I remove both securityContext sections, pod runs normally.* > > *So does the runAsUser function work or not? * > > *How to specify the securityContext and avoid the crash?* > > > > > > > > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
