Lab 6.6 RBAC

Hi,
I am having some trouble solving the lab 6.6. Here is my edited security-review1.yaml:
apiVersion: v1
kind: Pod
metadata:
name: securityreview
spec:
serviceAccountName: securityaccount
#securityContext:
# runAsUser: 2100
containers:
- name: webguy
image: nginx
securityContext:
runAsUser: 2000
allowPrivilegeEscalation: false
I have created securityaccount ServiceAccount, created ClusterRole with create, update, delete, list access to Pods. I have also done the role mapping.
Looking at the pod logs, I get these two errors:
[emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
What am I missing? Help is appreciated.
Comments
-
Also, when I ran this command to login to the pod I get the following error:
$ kubectl exec -it securityreview -- sh
error: unable to upgrade connection: container not found ("webguy")0 -
can you change/ edit runAsUser: 2000 to runAsUser: 0 and deploy it again?
0 -
I see the same error:
0 -
@pbbhaskar the lab tells us to shell into the container before changing the runAsUser.
but yes, runAsUser: 0 ultimately allowed me to progress.0 -
Hi @nbon,
The goal of the exercise is to find the correct user value for the security context that allows the container to run.
Regards,
-Chris0 -
@chrispokorni how are we supposed to shell into the container?
0 -
With runAsUser: 2000, the container does not even created. We need to know the correct value of runAsUser: element before running the kubectl exec -it command.
0 -
Hello,
If you look at the contents of the pod, what is the image it is trying to deploy? Could you run that image in some other way and look at the settings?
Regards,
0 -
@serewicz - first thank you for tending this forum. It is very much appreciated.
I note in one of your replies that the exam will not tell students what to type. This is a valid observation.
I see that you referenced Section 6.1 as a map... that's where I started.
However, the nginx image lacks the commands needed to follow that as a map.
So, I added busybox. But, the pod only runs with busybox in it. But, I have zero way to understand if this is a correct solution. It doesn't seem correct.
While I understand "pushing" students to figure things out, there isn't even enough context to figure out how to figure it out.
Could you explain a couple fundamental concepts so that I/we can arrive the the understanding to tackle this task.
0 -
@serewicz I have found two ways to get this to run without adding another container. Neither involved the kubectl exec command because the nginx image does not have the commands in the shell required to determine the required userid.
The key is understanding the required userid. Lab 6.1 should work IF the image had the required commands. The current image does not. This still leaves the problem as to how to determine the correct userid.
The problem with using another image is that the required behavior (permissions) are changed when another image is used. So, that debug path is no good.
We could try to install ps or find other ways to get the id. That seems way out of the way.
So, this folds back to ... what is the right id number to use and in which security context stanza should it be set?
While it is not obvious, determining the required userid is the filter to use when reviewing Chapter 6's materials to solve this problem.
0 -
Hello everyone, I'm also very curious what is the right solution for running nginx in Lab 6.6.
Hello,
If you look at the contents of the pod, what is the image it is trying to deploy? Could you run that image in some other way and look at the settings?
@serewicz Following your hint above, I ran nginx image in Docker and determined that it runs as **root **user:
$ docker run -it --entrypoint whoami nginx root
So, does that mean that we should set runAsUser: 0 ? Is that the expected solution for this exercise?
I'm slightly confused because this solution (set runAsUser: 0), although technically valid, defeats the purpose of securityContext, doesn't it?
On the other hand, running nginx as non-root user requires extra work and extra knowledge of nginx. See https://github.com/docker-library/docs/tree/master/nginx#running-nginx-as-a-non-root-user
So I doubt that this lab 6.6 expects students to go into such internals of nginx configuration.
@serewicz Please advise. Thank you so much in advance!
1 -
Hi all,
I logged in to the container removing the user policies, then I installed proper package to show the process (procps), and finally ps says there are 3 processes with two users:- user 0 (root) for master process
- user 101 (nginx) for worker processes
Regards,
JI0 -
Hello i am facing the same issue can someone please post a working solution? Do i have to disable the securityContext and then manually install the ps command into the container to check the right id? (seem very unlikely to me)
0
Categories
- All Categories
- 230 LFX Mentorship
- 230 LFX Mentorship: Linux Kernel
- 812 Linux Foundation IT Professional Programs
- 365 Cloud Engineer IT Professional Program
- 183 Advanced Cloud Engineer IT Professional Program
- 82 DevOps Engineer IT Professional Program
- 151 Cloud Native Developer IT Professional Program
- 138 Express Training Courses & Microlearning
- 138 Express Courses - Discussion Forum
- Microlearning - Discussion Forum
- 6.4K Training Courses
- 48 LFC110 Class Forum - Discontinued
- 71 LFC131 Class Forum
- 44 LFD102 Class Forum
- 228 LFD103 Class Forum
- 19 LFD110 Class Forum
- 42 LFD121 Class Forum
- 18 LFD133 Class Forum
- 8 LFD134 Class Forum
- 18 LFD137 Class Forum
- 71 LFD201 Class Forum
- 5 LFD210 Class Forum
- 5 LFD210-CN Class Forum
- 2 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum - Discontinued
- 2 LFD233 Class Forum
- 4 LFD237 Class Forum
- 24 LFD254 Class Forum
- 702 LFD259 Class Forum
- 111 LFD272 Class Forum - Discontinued
- 4 LFD272-JP クラス フォーラム
- 13 LFD273 Class Forum
- 180 LFS101 Class Forum
- 1 LFS111 Class Forum
- 3 LFS112 Class Forum
- 3 LFS116 Class Forum
- 7 LFS118 Class Forum
- LFS120 Class Forum
- 9 LFS142 Class Forum
- 8 LFS144 Class Forum
- 4 LFS145 Class Forum
- 3 LFS146 Class Forum
- 2 LFS148 Class Forum
- 15 LFS151 Class Forum
- 4 LFS157 Class Forum
- 44 LFS158 Class Forum
- LFS158-JP クラス フォーラム
- 10 LFS162 Class Forum
- 2 LFS166 Class Forum
- 4 LFS167 Class Forum
- 3 LFS170 Class Forum
- 2 LFS171 Class Forum
- 3 LFS178 Class Forum
- 3 LFS180 Class Forum
- 2 LFS182 Class Forum
- 5 LFS183 Class Forum
- 32 LFS200 Class Forum
- 737 LFS201 Class Forum - Discontinued
- 3 LFS201-JP クラス フォーラム - Discontinued
- 19 LFS203 Class Forum
- 135 LFS207 Class Forum
- 2 LFS207-DE-Klassenforum
- 1 LFS207-JP クラス フォーラム
- 302 LFS211 Class Forum
- 56 LFS216 Class Forum
- 52 LFS241 Class Forum
- 48 LFS242 Class Forum
- 38 LFS243 Class Forum
- 15 LFS244 Class Forum
- 5 LFS245 Class Forum
- LFS246 Class Forum
- LFS248 Class Forum
- 52 LFS250 Class Forum
- 2 LFS250-JP クラス フォーラム
- 1 LFS251 Class Forum
- 156 LFS253 Class Forum
- 1 LFS254 Class Forum
- 1 LFS255 Class Forum
- 9 LFS256 Class Forum
- 1 LFS257 Class Forum
- 1.3K LFS258 Class Forum
- 10 LFS258-JP クラス フォーラム
- 129 LFS260 Class Forum
- 160 LFS261 Class Forum
- 43 LFS262 Class Forum
- 82 LFS263 Class Forum - Discontinued
- 15 LFS264 Class Forum - Discontinued
- 11 LFS266 Class Forum - Discontinued
- 24 LFS267 Class Forum
- 25 LFS268 Class Forum
- 32 LFS269 Class Forum
- 6 LFS270 Class Forum
- 202 LFS272 Class Forum - Discontinued
- 2 LFS272-JP クラス フォーラム
- 4 LFS147 Class Forum
- 1 LFS274 Class Forum
- 4 LFS281 Class Forum
- 12 LFW111 Class Forum
- 262 LFW211 Class Forum
- 184 LFW212 Class Forum
- 15 SKF100 Class Forum
- 1 SKF200 Class Forum
- 1 SKF201 Class Forum
- 797 Hardware
- 199 Drivers
- 68 I/O Devices
- 37 Monitors
- 104 Multimedia
- 174 Networking
- 91 Printers & Scanners
- 85 Storage
- 759 Linux Distributions
- 82 Debian
- 67 Fedora
- 17 Linux Mint
- 13 Mageia
- 23 openSUSE
- 148 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 354 Ubuntu
- 470 Linux System Administration
- 39 Cloud Computing
- 71 Command Line/Scripting
- Github systems admin projects
- 95 Linux Security
- 78 Network Management
- 102 System Management
- 47 Web Management
- 69 Mobile Computing
- 18 Android
- 38 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 374 Off Topic
- 115 Introductions
- 174 Small Talk
- 24 Study Material
- 807 Programming and Development
- 304 Kernel Development
- 485 Software Development
- 1.8K Software
- 263 Applications
- 183 Command Line
- 3 Compiling/Installing
- 987 Games
- 317 Installation
- 102 All In Program
- 102 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)