Welcome to the Linux Foundation Forum!
Lab 6.6 RBAC
aparajithanv
Posts: 5
Hi,
I am having some trouble solving the lab 6.6. Here is my edited security-review1.yaml:
apiVersion: v1
kind: Pod
metadata:
name: securityreview
spec:
serviceAccountName: securityaccount
#securityContext:
# runAsUser: 2100
containers:
- name: webguy
image: nginx
securityContext:
runAsUser: 2000
allowPrivilegeEscalation: false
I have created securityaccount ServiceAccount, created ClusterRole with create, update, delete, list access to Pods. I have also done the role mapping.
Looking at the pod logs, I get these two errors:
[emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
What am I missing? Help is appreciated.
1
Comments
Also, when I ran this command to login to the pod I get the following error:
$ kubectl exec -it securityreview -- sh
error: unable to upgrade connection: container not found ("webguy")
can you change/ edit runAsUser: 2000 to runAsUser: 0 and deploy it again?
I see the same error:
@pbbhaskar the lab tells us to shell into the container before changing the runAsUser.
but yes, runAsUser: 0 ultimately allowed me to progress.
Hi @nbon,
The goal of the exercise is to find the correct user value for the security context that allows the container to run.
Regards,
-Chris
@chrispokorni how are we supposed to shell into the container?
@nbon Use the kubectl exec -it command.
With runAsUser: 2000, the container does not even created. We need to know the correct value of runAsUser: element before running the kubectl exec -it command.
@serewicz I get the following error after using
kubectl exec -it:"error: unable to upgrade connection: container not found ("webguy")
Hello,
If you look at the contents of the pod, what is the image it is trying to deploy? Could you run that image in some other way and look at the settings?
Regards,