When deploying in Kubernetes and setting runAsNonRoot in securityContext, the Kubernetes admission controller fails because cannot verify if the user is non-root.
kubectl get po -l name=ssl-exporter
NAME READY STATUS RESTARTS AGE
ssl-exporter-7b544fd7d8-k9pnv 0/1 CreateContainerConfigError 0 5m14s
kubectl describe po ssl-exporter-7b544fd7d8-k9pnv
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 31s default-scheduler Successfully assigned default/ssl-exporter-7b544fd7d8-k9pnv to node3
Normal SandboxChanged 29s kubelet Pod sandbox changed, it will be killed and re-created.
Normal Pulled 12s (x5 over 30s) kubelet Container image "docker.io/ribbybibby/ssl-exporter:2.4.1" already present on machine
Warning Failed 12s (x5 over 30s) kubelet Error: container has runAsNonRoot and image has non-numeric user (ssl), cannot verify user is non-root (pod: "ssl-exporter-7b544fd7d8-k9pnv_default(bac551ee-88ea-4a21-bd18-92afb1f6a663)", container: ssl-exporter)
FROM alpine:3.15 as build
RUN apk --update add ca-certificates
FROM scratch
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY ssl_exporter /
USER 10001
EXPOSE 9219/tcp
ENTRYPOINT ["/ssl_exporter"]
There's no need for a named user, or having a passwd/group file, because the GO compiler generates the binary with execution permission 755 (execution to everyine) and ca-certificates.crt has permission 644 (read to everyone).
Test
A new docker image was created and deployed to docker hub.
kubectl get po -l name=ssl-exporter
NAME READY STATUS RESTARTS AGE
ssl-exporter-85457876ff-mwqmc 1/1 Running 0 8s
kubectl describe po ssl-exporter-85457876ff-mwqmc
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 50s default-scheduler Successfully assigned default/ssl-exporter-85457876ff-mwqmc to node3
Normal Pulled 49s kubelet Container image "docker.io/xjulio/ssl-exporter:2.4.1-numeric-userid@sha256:bd53b4d5ac73308a3c9ed47e896e752c2cab9bd58e88a258aef4113635c45dc9" already present on machine
Normal Created 48s kubelet Created container ssl-exporter
Normal Started 48s kubelet Started container ssl-exporter
When deploying in Kubernetes and setting
runAsNonRoot
insecurityContext
, the Kubernetes admission controller fails because cannot verify if the user is non-root.Environment:
Deployment example gist:
Errors:
Steps to reproduce:
Apply k8s manifest
List pods to check
CreateContainerConfigError
Describe ssl-exporter pod from step 2.
Proposed solution
Removing non-numeric user(ssl) from Docker file.
There's no need for a named user, or having a passwd/group file, because the GO compiler generates the binary with execution permission 755 (execution to everyine) and
ca-certificates.crt
has permission 644 (read to everyone).Test
A new docker image was created and deployed to docker hub.
Testing new image
Deploy using new image gist:
Applying k8s manifest:
Checking pods: