17. EXAM DOMAIN REVIEW - Exercise A.3. Practicing Skills - p. 34

oleksazhel

"34. Edit the pod such that the securityContext is in place and allows the web server to read the proper configuration files."

If it is supposed that we simply change to runAsUser: 101 then there is error in task. Because it will exit with an error:

ubuntu@k8scp:~$ kubectl logs securityreview
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2022/07/14 21:30:49 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2022/07/14 21:30:49 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

We can solve this task by removal of runAsUser at all and putting in securityContext something like allowPrivilegeEscalation: true, but it seems that is not what is expected from us.

Another solution is to create own Dockerfile and build nginx image with appropriate permissions for nginx user, but this solution is far away from task.

So please remove this task from exersise or at least confirm that adequate solution exists.