Welcome to the Linux Foundation Forum!

Lab 6.6 RBAC

Hi,
I am having some trouble solving the lab 6.6. Here is my edited security-review1.yaml:

apiVersion: v1
kind: Pod
metadata:
name: securityreview
spec:
serviceAccountName: securityaccount
#securityContext:
# runAsUser: 2100
containers:
- name: webguy
image: nginx
securityContext:
runAsUser: 2000
allowPrivilegeEscalation: false

I have created securityaccount ServiceAccount, created ClusterRole with create, update, delete, list access to Pods. I have also done the role mapping.

Looking at the pod logs, I get these two errors:
[emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

What am I missing? Help is appreciated.

Comments

  • Also, when I ran this command to login to the pod I get the following error:

    $ kubectl exec -it securityreview -- sh
    error: unable to upgrade connection: container not found ("webguy")

  • pbbhaskar
    pbbhaskar Posts: 15

    can you change/ edit runAsUser: 2000 to runAsUser: 0 and deploy it again?

  • nbon
    nbon Posts: 14

    I see the same error:

  • nbon
    nbon Posts: 14

    @pbbhaskar the lab tells us to shell into the container before changing the runAsUser.
    but yes, runAsUser: 0 ultimately allowed me to progress.

  • chrispokorni
    chrispokorni Posts: 1,139

    Hi @nbon,

    The goal of the exercise is to find the correct user value for the security context that allows the container to run.

    Regards,
    -Chris

  • nbon
    nbon Posts: 14

    @chrispokorni how are we supposed to shell into the container?

  • serewicz
    serewicz Posts: 944

    @nbon Use the kubectl exec -it command.

  • With runAsUser: 2000, the container does not even created. We need to know the correct value of runAsUser: element before running the kubectl exec -it command.

  • nbon
    nbon Posts: 14

    @serewicz I get the following error after using kubectl exec -it:
    "error: unable to upgrade connection: container not found ("webguy")

  • serewicz
    serewicz Posts: 944

    Hello,

    If you look at the contents of the pod, what is the image it is trying to deploy? Could you run that image in some other way and look at the settings?

    Regards,

Categories

Upcoming Training