It looks like that file is not readable by a non-root user. You're volunteering to lower your privileges, but you need to account for that in the image. If this is a custom image, chmod ugo+r that file? If it is a pre-built image, yell at whoever built it.
On Fri, Feb 2, 2018 at 9:52 AM, R Melton <lateni...@gmail.com> wrote: > using kubectl v1.9 on client and server. > ubuntu 16.04 server on GCP. > > I was trying to follow the demo listed on > https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ > which assigns a security context to a pod when it is created. > Pod yaml file is: > > apiVersion: v1 > kind: Pod > metadata: > name: security-context-demo > spec: > securityContext: > runAsUser: 1000 > fsGroup: 2000 > volumes: > - name: sec-ctx-vol > emptyDir: {} > containers: > - name: sec-ctx-demo > image: gcr.io/google-samples/node-hello:1.0 > volumeMounts: > - name: sec-ctx-vol > mountPath: /data/demo > securityContext: > allowPrivilegeEscalation: false > > problem: pod always crashes and gets restarted many times: > > kubectl get pods > NAME READY STATUS RESTARTS AGE > busybox-855686df5d-2667x 1/1 Running 1 1h > security-context-demo 0/1 CrashLoopBackOff 1 12s << > this is the problem. > > I tried removing each securityContext section. Crash remains when either > securityContext section is present in the yaml file. > > pod describe shows: > > Events: > Type Reason Age From > Message > ---- ------ ---- ---- > ------- > Normal Scheduled 58s default-scheduler > Successfully assigned security-context-demo to worker-0 > Normal SuccessfulMountVolume 58s kubelet, worker-0 > MountVolume.SetUp succeeded for volume "sec-ctx-vol" > Normal SuccessfulMountVolume 58s kubelet, worker-0 > MountVolume.SetUp succeeded for volume "default-token-ptfl5" > Normal Pulled 10s (x4 over 56s) kubelet, worker-0 > Container image "gcr.io/google-samples/node-hello:1.0" already present on > machine > Normal Created 10s (x4 over 56s) kubelet, worker-0 > Created container > Normal Started 10s (x4 over 56s) kubelet, worker-0 > Started container > Warning BackOff 9s (x6 over 54s) kubelet, worker-0 > Back-off restarting failed container > > > Logs in pod say: > > return binding.open(pathModule._makeLong(path), stringToFlags(flags), mode); > ^ > > Error: EACCES: permission denied, open '/server.js' > at Error (native) > at Object.fs.openSync (fs.js:549:18) > at Object.fs.readFileSync (fs.js:397:15) > at Object.Module._extensions..js (module.js:415:20) > at Module.load (module.js:343:32) > at Function.Module._load (module.js:300:12) > at Function.Module.runMain (module.js:441:10) > at startup (node.js:139:18) > at node.js:968:3 > > > If I remove both securityContext sections, pod runs normally. > > So does the runAsUser function work or not? > > How to specify the securityContext and avoid the crash? > > > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Kubernetes user discussion and Q&A" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to kubernetes-users+unsubscr...@googlegroups.com. > To post to this group, send email to kubernetes-users@googlegroups.com. > Visit this group at https://groups.google.com/group/kubernetes-users. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.