Lab 6.4.6, serviceAccountName vs securityContext runAsUser
Hi AKS gurus,
I have read kubernetes doco couple of times but i'm still not 100% clear the difference between pod running serviceAccountName vs securityContext runAsUser
especially lab 6.4.6, when securityContext runAsUser 1000 was removed the 2 pods are ran successfully.
the problem was '2018/04/13 19:51:13 emerg 11: mkdir() "/var/cache/nginx/client temp"failed (13: Permission denied)' user doesn't have privileges.
can someone explain me simple way. what is the clear difference between declare
'serviceAccountName' vs 'securityContext runAsUser'?
when both are declared 'serviceAccountName', 'securityContext runAsUser' which one gets used to run Pod or Container?
by testing. if both of them are there it's using the user 1000, from container ps aux
Q1. so is user 1000 trying to create temp was failing because of no privileges?
but this service account secret-access-sa, do not have privileges to create temp directory neither isn't it?
Q2. what is the difference between them 'serviceAccountName' vs 'securityContext runAsUser'
Best Answer
-
Hi @docklander,
The service account resource allows Kubernetes applications defined by pods to be assigned permissions just like a user account. These permissions, defined with role based access control (RBAC) policies and bound to the service account, allow pods to interact with cluster resources. For example, a pod may be assigned elevated permissions to interact with the API server in order to create and/or delete other pods, something a pod may not be allowed to perform by default.
The runAsUser security context property targets the application process run by the container defined by the pod. The security context properties allow for process level permissions management, as the container's process interacts with container's environment and resources. For example, a process may or may not have permissions to create a file in a given path, or given an existing file a process may or may not have write permissions (but it may have only read permissions instead).
Hope this helps to differentiate the two concepts.
Regards,
-Chris1
Categories
- All Categories
- 177 LFX Mentorship
- 177 LFX Mentorship: Linux Kernel
- 754 Linux Foundation IT Professional Programs
- 374 Cloud Engineer IT Professional Program
- 170 Advanced Cloud Engineer IT Professional Program
- 74 DevOps IT Professional Program - Discontinued
- 5 DevOps & GitOps IT Professional Program
- 100 Cloud Native Developer IT Professional Program
- 7.6K Training Courses & Learning Paths
- 2 AI & ML Training
- 1 Blockchain & Decentralized Identity Training
- 5 Cloud & Containers Training
- 1 Cybersecurity Training
- 2 DevOps & Site-Reliability Training
- 1 Linux Kernel Development Training
- 1 Networking Training
- 2 Open Source Best Practice Training
- 2 System Administration Training
- 1 System Engineering Training
- 1 Web & Application Development Training
- 794 Hardware
- 202 Drivers
- 68 I/O Devices
- 37 Monitors
- 95 Multimedia
- 173 Networking
- 91 Printers & Scanners
- 89 Storage
- 769 Linux Distributions
- 81 Debian
- 68 Fedora
- 22 Linux Mint
- 13 Mageia
- 24 openSUSE
- 150 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 356 Ubuntu
- 465 Linux System Administration
- 31 Cloud Computing
- 73 Command Line/Scripting
- Github systems admin projects
- 98 Linux Security
- 78 Network Management
- 101 System Management
- 46 Web Management
- 112 Mobile Computing
- 20 Android
- 77 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 393 Off Topic
- 121 Introductions
- 182 Small Talk
- 29 Study Material
- 977 Programming and Development
- 310 Kernel Development
- 649 Software Development
- 990 Software
- 382 Applications
- 182 Command Line
- 5 Compiling/Installing
- 68 Games
- 317 Installation
- Archived
- 2 LFD140 Class Forum
- 1.4K LFS258 Class Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)