Lab 6.6 RBAC

aparajithanv

Hi,
I am having some trouble solving the lab 6.6. Here is my edited security-review1.yaml:

apiVersion: v1
kind: Pod
metadata:
name: securityreview
spec:
serviceAccountName: securityaccount
#securityContext:
# runAsUser: 2100
containers:
- name: webguy
image: nginx
securityContext:
runAsUser: 2000
allowPrivilegeEscalation: false

I have created securityaccount ServiceAccount, created ClusterRole with create, update, delete, list access to Pods. I have also done the role mapping.

Looking at the pod logs, I get these two errors:
[emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

What am I missing? Help is appreciated.

aparajithanv

Also, when I ran this command to login to the pod I get the following error:

$ kubectl exec -it securityreview -- sh
error: unable to upgrade connection: container not found ("webguy")

pbbhaskar

can you change/ edit runAsUser: 2000 to runAsUser: 0 and deploy it again?

nbon

I see the same error:

nbon

@pbbhaskar the lab tells us to shell into the container before changing the runAsUser.
but yes, runAsUser: 0 ultimately allowed me to progress.

chrispokorni

Hi @nbon,

The goal of the exercise is to find the correct user value for the security context that allows the container to run.

Regards,
-Chris

nbon

@chrispokorni how are we supposed to shell into the container?

serewicz

@nbon Use the kubectl exec -it command.

pbbhaskar

With runAsUser: 2000, the container does not even created. We need to know the correct value of runAsUser: element before running the kubectl exec -it command.

nbon

@serewicz I get the following error after using kubectl exec -it:
"error: unable to upgrade connection: container not found ("webguy")

serewicz

Hello,

If you look at the contents of the pod, what is the image it is trying to deploy? Could you run that image in some other way and look at the settings?

Regards,