Running kubectl container as a rootless user#3626
Conversation
|
Created a staging project on OBS for Tumbleweed: home:pushman:BCI:Staging:Tumbleweed:Tumbleweed-3626 |
|
Created a staging project on OBS for 7: home:pushman:BCI:Staging:SLE-15-SP7:7-3626 Build ResultsRepository
Repository
Repository
Repository
Repository
Repository
Repository
Repository
Build succeeded ✅ To run BCI-tests against this PR, use the following command: OS_VERSION=15.7 TARGET=custom BASEURL=registry.opensuse.org/home/pushman/bci/staging/sle-15-sp7/7-3626/ tox -- -n autoThe following images can be pulled from the staging project:
|
rcmadhankumar
force-pushed
the
non-root-kubectl
branch
from
ce428a7 to
81beb83
Compare
|
Created a staging project on OBS for 16.0: home:pushman:BCI:Staging:16.0:16.0-3626 Build ResultsRepository
Repository
Repository
Repository
Repository
Repository
Repository
Repository
Build succeeded ✅ To run BCI-tests against this PR, use the following command: OS_VERSION=16.0 TARGET=custom BASEURL=registry.opensuse.org/home/pushman/bci/staging/16.0/16.0-3626/ tox -- -n autoThe following images can be pulled from the staging project:
|
|
Created a staging project on OBS for 16.1: home:pushman:BCI:Staging:16.1:16.1-3626 Build ResultsRepository
Repository
Repository
Repository
Repository
Repository
Repository
Repository
Build succeeded ✅ To run BCI-tests against this PR, use the following command: OS_VERSION=16.1 TARGET=custom BASEURL=registry.opensuse.org/home/pushman/bci/staging/16.1/16.1-3626/ tox -- -n autoThe following images can be pulled from the staging project:
|
| ``` | ||
| ## Running as a non-root user | ||
|
|
||
| By default, this container runs as the `root` user. However, it is prepared to run as a non-privileged user (UID `999`) for enhanced security. |
There was a problem hiding this comment.
| By default, this container runs as the `root` user. However, it is prepared to run as a non-privileged user (UID `999`) for enhanced security. | |
| By default, this container runs as the `root` user. However, the image is also prepared to run as a non-privileged user (UID `999`) for enhanced security. |
| --user 999:100 \ | ||
| -e HOME=/home/user \ | ||
| -v /localpath/to/kubeconfig:/home/user/.kube/config:Z \ | ||
| {{ image.pretty_reference }} get nodes |
There was a problem hiding this comment.
why does it list "get nodes" here?
|
|
||
| ```ShellSession | ||
| podman run --rm --name kubectl \ | ||
| --user 999:100 \ |
There was a problem hiding this comment.
why do we hardcode this here? --user user works as well.
| -v /localpath/to/customize:/home/user:Z | ||
| {{ image.pretty_reference }} kustomize --enable-helm | ||
| ``` | ||
| ## Running as a non-root user |
| ``` | ||
| ## Running as a non-root user | ||
|
|
||
| By default, this container runs as the `root` user. However, it is prepared to run as a non-privileged user (UID `999`) for enhanced security. |
There was a problem hiding this comment.
this is a bit misleading, because how the container is being run is not specified by the container. the only thing we specify is the the user within the container. how you map that is dependent on how you invoke it.
I think we should simply say
"The container provides a preconfigured user called "user" which can be explicitly set to lower the permissions of kubectl within the container".
| ```ShellSession | ||
| podman run --rm --name kubectl \ | ||
| --user 999:100 \ | ||
| -e HOME=/home/user \ |
There was a problem hiding this comment.
do we need this when the -v mount below is explicityly stating /home/user ?
3 participants
No description provided.