Welcome to the Linux Foundation Forum!

Lab 6.6 RBAC

I am having some trouble solving the lab 6.6. Here is my edited security-review1.yaml:

apiVersion: v1
kind: Pod
name: securityreview
serviceAccountName: securityaccount
# runAsUser: 2100
- name: webguy
image: nginx
runAsUser: 2000
allowPrivilegeEscalation: false

I have created securityaccount ServiceAccount, created ClusterRole with create, update, delete, list access to Pods. I have also done the role mapping.

Looking at the pod logs, I get these two errors:
[emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

What am I missing? Help is appreciated.


  • Also, when I ran this command to login to the pod I get the following error:

    $ kubectl exec -it securityreview -- sh
    error: unable to upgrade connection: container not found ("webguy")

  • pbbhaskar
    pbbhaskar Posts: 15

    can you change/ edit runAsUser: 2000 to runAsUser: 0 and deploy it again?

  • nbon
    nbon Posts: 14

    I see the same error:

  • nbon
    nbon Posts: 14

    @pbbhaskar the lab tells us to shell into the container before changing the runAsUser.
    but yes, runAsUser: 0 ultimately allowed me to progress.

  • chrispokorni
    chrispokorni Posts: 1,164

    Hi @nbon,

    The goal of the exercise is to find the correct user value for the security context that allows the container to run.


  • nbon
    nbon Posts: 14

    @chrispokorni how are we supposed to shell into the container?

  • serewicz
    serewicz Posts: 948

    @nbon Use the kubectl exec -it command.

  • With runAsUser: 2000, the container does not even created. We need to know the correct value of runAsUser: element before running the kubectl exec -it command.

  • nbon
    nbon Posts: 14

    @serewicz I get the following error after using kubectl exec -it:
    "error: unable to upgrade connection: container not found ("webguy")

  • serewicz
    serewicz Posts: 948


    If you look at the contents of the pod, what is the image it is trying to deploy? Could you run that image in some other way and look at the settings?



Upcoming Training