Lab Exercise A.3: Practicing Skills. Exercises 30-34

tabrisnet

kubectl create -f review6.yaml doesn't produce a pod that complains about reading the config files as #34 implies, but rather complains

2025/06/21 17:29:54 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

Editing uid to match the nginx user doesn't help as /var/cache/nginx belongs to root with mode 0755.

I guess the question I need to ask is... how far afield of the instructions are we supposed to go? that is, if I replace the nginx image with one designed to run unprivileged [and update the uid to match from /etc/passwd], it can work. And certainly I might do that with something in in real life.
But how do I know what the minimal/acceptable solution is for the exam? I have to assume it's computer-graded so there's no points for creativity, and there's no guarantee I'm allowed to pull "random" [unanticipated in the exercise] images from DockerHub.

Other solutions exist as well, but again if it's computer-graded all seems for naught.

johanprinsloo

I agree,

This was a tricky section for me to understand too.

I have finally got it running and I think what is attempted to be taught imo is that although you set the security context (nginx=101) it does not change the the original security context of when the image was build. I had to implicitly set the volume mounts... and only then did the paths in the mounts inherited the security context. I also had to override the nginx.conf file to run the pid in the temp folder using a config map.

I also found that I could not bind to port 80 as non root as this is a restriction in linux (privileged ports are those in the range of 1-1023 ). So I had to modify the nginx.conf to listen on port 8080 as well.

---> nginx.conf

events {}

http {
server {
listen 8080;
location / {
return 200 "Hello from non-root NGINX\n";
}
}

}
pid /tmp/nginx.pid;

---->
kubectl create configmap nginx-conf --from-file=nginx.conf
---->
apiVersion: v1
kind: Pod
metadata:
name: securityreview
spec:
securityContext:
runAsUser: 2100
containers:
- name: webguy
image: nginx
securityContext:
runAsUser: 101
allowPrivilegeEscalation: false
ports:
- containerPort: 8080
volumeMounts:
- name: nginx-cache
mountPath: /var/cache/nginx
- name: nginx-conf
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
volumes:
- name: nginx-cache
emptyDir: {}
- name: nginx-conf
configMap:
name: nginx-conf

Open to comments

tabrisnet

Thank you. So it needs thinking out of the box, but rather different than my solution.