search

cloudfoundry / cf-for-k8s

The open source deployment manifest for Cloud Foundry on Kubernetes
Apache License 2.0
300 stars 115 forks source link

Due to the security context(runAsNonRoot) container cannot run successfully #675

Open gongzhao2 opened 3 years ago

gongzhao2 commented 3 years ago

CLI versions

  1. cf-for-k8s: v4.2.0
  2. cf version: 7.2.0+be4a5ce2b.2020-12-10
  3. kubernetes version: v1.19.8

Describe the bug

After I deployed cf-for-k8s, I try to push one nginx docker container to cloud foundry using cf v7 client.

cf push nginx --docker-image nginx:latest

But the pod status is "CreateContainerConfigError"

$ kubectl get pods -n cf-workloads
NAME                                                    READY   STATUS                       RESTARTS   AGE
nginx-processing-pipeline-bc88a52a07-0                  1/2     CreateContainerConfigError   0          22s

Then I describe pod, found below events show that "container has runAsNonRoot and image will run as root"

kubectl describe pods nginx-processing-pipeline-bc88a52a07-0 -n cf-workloads

...
Events:
  Type     Reason     Age                From               Message
  ----     ------     ----               ----               -------
  Normal   Scheduled  35s                default-scheduler  Successfully assigned cf-workloads/nginx-processing-pipeline-bc88a52a07-0 to gz-ecs-k8s-0004
  Normal   Pulling    34s                kubelet            Pulling image "index.docker.io/istio/proxyv2:1.9.5"
  Normal   Pulled     32s                kubelet            Successfully pulled image "index.docker.io/istio/proxyv2:1.9.5" in 2.553114139s
  Normal   Created    31s                kubelet            Created container istio-init
  Normal   Started    31s                kubelet            Started container istio-init
  Normal   Pulling    31s                kubelet            Pulling image "index.docker.io/istio/proxyv2:1.9.5"
  Normal   Pulled     28s                kubelet            Successfully pulled image "index.docker.io/istio/proxyv2:1.9.5" in 2.806900981s
  Normal   Created    28s                kubelet            Created container istio-proxy
  Normal   Started    28s                kubelet            Started container istio-proxy
  Normal   Pulling    14s (x2 over 27s)  kubelet            Pulling image "nginx:latest"
  Normal   Pulled     14s                kubelet            Successfully pulled image "nginx:latest" in 12.986002494s
  Warning  Failed     10s (x2 over 14s)  kubelet            Error: container has runAsNonRoot and image will run as root
  Normal   Pulled     10s                kubelet            Successfully pulled image "nginx:latest" in 3.625414339s

Additional context

If I change the "securityContext.runAsNonRoot" from true to false, this pod will run successfully

kubectl get sts nginx-processing-pipeline-bc88a52a07 -o yaml

apiVersion: apps/v1
kind: StatefulSet
metadata:
...
spec:
...
    spec:
...
      securityContext:
        runAsNonRoot: true  -> false
      serviceAccount: eirini
      serviceAccountName: eirini
      terminationGracePeriodSeconds: 30
...

Expected behavior

How can I change the default StatefulSet template to disable runAsNonRoot? Is there a parameter that controls the securityContext? Or I can change something in the rendered YAML file "cf-for-k8s-rendered.yml"?

cf-gitbot commented 3 years ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/178984794

The labels on this github issue will be updated when the story is started.