Welcome to the Linux Foundation Forum!

Lab 6.6 security-review1.yaml intended solution

Version: 2022-11-23
I was able to find out the userid that nginx uses by default, fix the problem with cache, but was not able to figure out (without trying to google) how I get rid of the could not bind port 80 error. Also my tries with capabilities failed, since finding out which would be needed requires research again.

My intuition tells me running the pod as root cannot be the correct solution, what am I missing.

Best Answers

  • fazlur.khan
    fazlur.khan Posts: 18
    edited February 10 Answer ✓

    Hello @bulldog98

    Few take away from the security-review1.yaml

    1. In the yaml, we use security context "runAsUser" at the Pod Spec and also at the container level. What we define at the container level takes precedence. In this case it will run as user 3100.

    2. But, the pod creation is failing... The reason is the nginx image is built to run as root. It needs write access to /etc/nginx to create the conf file and also /var to create a cache file.

    3. We know running as root is not good, so how can we fix it? Well, you can fix it while creating your image, for example using the Dockerfile directive such as "USER" while creating your image.

    4. Since we are not creating the image here, what can we do? - We can mount /var/cache and /etc/nginx as volumes with write access and then pod will be created.

    Give it a shot, try fixing it. If you need further help, LMK.

  • icastillejos
    icastillejos Posts: 3
    edited March 4 Answer ✓

    FWIW I got it to work using port 8080 (i.e. above 1024) and moving the pid file to one of my mounted volumes. I followed this example to build the nginx conf in a ConfigMap: https://gist.github.com/petitviolet/d36f33d145d0bbf4b54eb187b79d0244


  • @fazlur.khan ah yes the /var/cache I already found, but my problem was more that the nginx user was not allowed to open port 80

    1. Review the security-review1.yaml file to ensure that it meets security standards and best practices
    2. Analyze the security-review1.yaml file to identify any potential security issues.
    3. Examine the security-review1.yaml file for any potential security threats or weaknesses
      4.Check the security-review1.yaml file for any potential security flaws or weaknesses.
    4. Scan the security-review1.yaml file for any potential security risks or vulnerabilities.


Upcoming Training