Thanks for the followup! On Fri, Feb 2, 2018 at 3:56 PM, R Melton <lateni...@gmail.com> wrote: > > I later went back and created a new image file (on docker) and reran the > runAsUser (and fsGroup) yaml file and it worked correctly. > > On Friday, February 2, 2018 at 11:52:07 AM UTC-6, R Melton wrote: >> >> using kubectl v1.9 on client and server. >> ubuntu 16.04 server on GCP. >> >> I was trying to follow the demo listed on >> https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ >> which assigns a security context to a pod when it is created. >> Pod yaml file is: >> >> apiVersion: v1 >> kind: Pod >> metadata: >> name: security-context-demo >> spec: >> securityContext: >> runAsUser: 1000 >> fsGroup: 2000 >> volumes: >> - name: sec-ctx-vol >> emptyDir: {} >> containers: >> - name: sec-ctx-demo >> image: gcr.io/google-samples/node-hello:1.0 >> volumeMounts: >> - name: sec-ctx-vol >> mountPath: /data/demo >> securityContext: >> allowPrivilegeEscalation: false >> >> problem: pod always crashes and gets restarted many times: >> >> kubectl get pods >> NAME READY STATUS RESTARTS AGE >> busybox-855686df5d-2667x 1/1 Running 1 1h >> security-context-demo 0/1 CrashLoopBackOff 1 12s >> << this is the problem. >> >> I tried removing each securityContext section. Crash remains when either >> securityContext section is present in the yaml file. >> >> pod describe shows: >> >> Events: >> Type Reason Age From >> Message >> ---- ------ ---- ---- >> ------- >> Normal Scheduled 58s default-scheduler >> Successfully assigned security-context-demo to worker-0 >> Normal SuccessfulMountVolume 58s kubelet, worker-0 >> MountVolume.SetUp succeeded for volume "sec-ctx-vol" >> Normal SuccessfulMountVolume 58s kubelet, worker-0 >> MountVolume.SetUp succeeded for volume "default-token-ptfl5" >> Normal Pulled 10s (x4 over 56s) kubelet, worker-0 >> Container image "gcr.io/google-samples/node-hello:1.0" already present on >> machine >> Normal Created 10s (x4 over 56s) kubelet, worker-0 >> Created container >> Normal Started 10s (x4 over 56s) kubelet, worker-0 >> Started container >> Warning BackOff 9s (x6 over 54s) kubelet, worker-0 >> Back-off restarting failed container >> >> >> Logs in pod say: >> >> return binding.open(pathModule._makeLong(path), stringToFlags(flags), >> mode); >> ^ >> >> Error: EACCES: permission denied, open '/server.js' >> at Error (native) >> at Object.fs.openSync (fs.js:549:18) >> at Object.fs.readFileSync (fs.js:397:15) >> at Object.Module._extensions..js (module.js:415:20) >> at Module.load (module.js:343:32) >> at Function.Module._load (module.js:300:12) >> at Function.Module.runMain (module.js:441:10) >> at startup (node.js:139:18) >> at node.js:968:3 >> >> >> If I remove both securityContext sections, pod runs normally. >> >> So does the runAsUser function work or not? >> >> How to specify the securityContext and avoid the crash? >> >> >> >> >> >> >> > -- > You received this message because you are subscribed to the Google Groups > "Kubernetes user discussion and Q&A" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to kubernetes-users+unsubscr...@googlegroups.com. > To post to this group, send email to kubernetes-users@googlegroups.com. > Visit this group at https://groups.google.com/group/kubernetes-users. > For more options, visit https://groups.google.com/d/optout.
-- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.