It looks like that file is not readable by a non-root user. You're
volunteering to lower your privileges, but you need to account for
that in the image. If this is a custom image, chmod ugo+r that file?
If it is a pre-built image, yell at whoever built it.
On Fri, Feb 2, 2018 at 9:52 AM, R Melton wrote:
> using kubectl v1.9 on client and server.
> ubuntu 16.04 server on GCP.
>
> I was trying to follow the demo listed on
> https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
> which assigns a security context to a pod when it is created.
> Pod yaml file is:
>
> apiVersion: v1
> kind: Pod
> metadata:
> name: security-context-demo
> spec:
> securityContext:
> runAsUser: 1000
> fsGroup: 2000
> volumes:
> - name: sec-ctx-vol
> emptyDir: {}
> containers:
> - name: sec-ctx-demo
> image: gcr.io/google-samples/node-hello:1.0
> volumeMounts:
> - name: sec-ctx-vol
> mountPath: /data/demo
> securityContext:
> allowPrivilegeEscalation: false
>
> problem: pod always crashes and gets restarted many times:
>
> kubectl get pods
> NAME READY STATUS RESTARTS AGE
> busybox-855686df5d-2667x 1/1 Running1 1h
> security-context-demo 0/1 CrashLoopBackOff 1 12s <<
> this is the problem.
>
> I tried removing each securityContext section. Crash remains when either
> securityContext section is present in the yaml file.
>
> pod describe shows:
>
> Events:
> Type Reason AgeFrom
> Message
> --
> ---
> Normal Scheduled 58sdefault-scheduler
> Successfully assigned security-context-demo to worker-0
> Normal SuccessfulMountVolume 58skubelet, worker-0
> MountVolume.SetUp succeeded for volume "sec-ctx-vol"
> Normal SuccessfulMountVolume 58skubelet, worker-0
> MountVolume.SetUp succeeded for volume "default-token-ptfl5"
> Normal Pulled 10s (x4 over 56s) kubelet, worker-0
> Container image "gcr.io/google-samples/node-hello:1.0" already present on
> machine
> Normal Created10s (x4 over 56s) kubelet, worker-0
> Created container
> Normal Started10s (x4 over 56s) kubelet, worker-0
> Started container
> Warning BackOff9s (x6 over 54s) kubelet, worker-0
> Back-off restarting failed container
>
>
> Logs in pod say:
>
> return binding.open(pathModule._makeLong(path), stringToFlags(flags), mode);
> ^
>
> Error: EACCES: permission denied, open '/server.js'
> at Error (native)
> at Object.fs.openSync (fs.js:549:18)
> at Object.fs.readFileSync (fs.js:397:15)
> at Object.Module._extensions..js (module.js:415:20)
> at Module.load (module.js:343:32)
> at Function.Module._load (module.js:300:12)
> at Function.Module.runMain (module.js:441:10)
> at startup (node.js:139:18)
> at node.js:968:3
>
>
> If I remove both securityContext sections, pod runs normally.
>
> So does the runAsUser function work or not?
>
> How to specify the securityContext and avoid the crash?
>
>
>
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Kubernetes user discussion and Q&A" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kubernetes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to kubernetes-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/kubernetes-users.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to kubernetes-users+unsubscr...@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.
