Skip to content

NimTechnology

Trình bày các công nghệ CLOUD một cách dễ hiểu.

  • Kubernetes & Container
    • Docker
    • Kubernetes
      • Ingress
    • Helm Chart
    • Isito-EnvoyFilter
    • Apache Kafka
      • Kafka
      • Kafka Connect
      • Lenses
    • Vault
    • Longhorn – Storage
    • VictoriaMetrics
  • CI/CD
    • ArgoCD
    • ArgoWorkflows
    • Spinnaker
    • Jenkins
  • Coding
    • Terraform
      • GCP – Google Cloud
      • AWS – Amazon Web Service
    • Golang
    • Laravel
    • Jquery & JavaScript
    • Git
    • Selenium
  • Log & Monitor
    • Prometheus
    • Grafana
    • ELK
      • Kibana
      • Logstash
  • BareMetal
  • Toggle search form

[Kuberneste/Volume] How can you mount a volume on Kubernetes that its permission isn’t root (non-root)

Posted on May 7, 2022 By nim No Comments on [Kuberneste/Volume] How can you mount a volume on Kubernetes that its permission isn’t root (non-root)

Case của mình là như sau:

Đầu tiên mình có Dockerfile:

FROM ubuntu:18.04
CMD ["sleep", "100000"]

Mình sẽ thử build image

docker build -t docker.nimtechnology.com/nim/non-root:0.0.1 --force-rm -f Dockerfile .

Sau đó mình running trên k8s

Bạn có thể thấy user là root

OK giờ mình ko muốn nó run với user root thì làm sao:
https://code.visualstudio.com/remote/advancedcontainers/add-nonroot-user

Có 2 cách như link bên trên:

Creating a non-root user

ARG USERNAME=user-name-goes-here
ARG USER_UID=1000
ARG USER_GID=$USER_UID

# Create the user
RUN groupadd --gid $USER_GID $USERNAME \
    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \
    #
    # [Optional] Add sudo support. Omit if you don't need to install software after connecting.
    && apt-get update \
    && apt-get install -y sudo \
    && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \
    && chmod 0440 /etc/sudoers.d/$USERNAME

# ********************************************************
# * Anything else you want to do like clean up goes here *
# ********************************************************

# [Optional] Set the default user. Omit if you want to keep the default as root.
USER $USERNAME

Change the UID/GID of an existing container user

ARG USERNAME=user-name-goes-here
ARG USER_UID=1000
ARG USER_GID=$USER_UID

RUN groupmod --gid $USER_GID $USERNAME \
    && usermod --uid $USER_UID --gid $USER_GID $USERNAME \
    && chown -R $USER_UID:$USER_GID /home/$USERNAME

Note that on Alpine Linux, you’ll need to install the shadow package first.

RUN apk add --no-cache shadow

Giờ Dockerfile của mình sẽ thay đổi như sau:

FROM ubuntu:18.04

ARG USERNAME=nimtechnology
ARG USER_UID=1000
ARG USER_GID=$USER_UID

# Create the user
RUN groupadd --gid $USER_GID $USERNAME \
    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \
    #
    # [Optional] Add sudo support. Omit if you don't need to install software after connecting.
    && apt-get update \
    && apt-get install -y sudo \
    && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \
    && chmod 0440 /etc/sudoers.d/$USERNAME

# ********************************************************
# * Anything else you want to do like clean up goes here *
# ********************************************************

# [Optional] Set the default user. Omit if you want to keep the default as root.


USER $USERNAME

CMD ["sleep", "100000"]
Giờ bạn thấy container không chạy với quyền root nữa

OK đã chuẩn bị đầy đủ.

Giờ mình thực hiện tạo 1 secret trên k8s.
Với file yaml bên dưới:

zapiVersion: v1
data:
  key-secret: dmFsdWUtc2VjcmV0
kind: Secret
metadata:
  labels:
  name: secret-non-root
  namespace: default
type: Opaque
đã tạo xong secret trên k8s

Giờ bạn thực hiện tạo ra 1 deployment và mount secret thành volume

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    workload.user.cattle.io/workloadselector: deployment-default-container-non-root
  name: container-non-root
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      workload.user.cattle.io/workloadselector: deployment-default-container-non-root
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
  template:
    metadata:
      labels:
        workload.user.cattle.io/workloadselector: deployment-default-container-non-root
    spec:
      containers:
      - image: docker.nimtechnology.com/nim/non-root:0.0.5
        name: container-non-root
        volumeMounts:
        - mountPath: /secert
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          defaultMode: 420
          secretName: secret-non-root

Bạn đoán là file secret được mount sẽ có permission thuộc user nào?

user bạn đang run là nimtechnology
nhưng file được cấp quyền cho user root

Nếu code của bạn muốn copy file key-secret thì sẽ không có quyền

OK! Giờ tìm hiểu thôi!
Để hiểu defaultMode: 420 thì đọc link dưới
https://support.huaweicloud.com/intl/en-us/cce_faq/cce_faq_00288.html

Ok giờ làm sao để mount file secret với user nimtechnology.
lại đọc bài dưới:
https://docs.portworx.com/portworx-install-with-kubernetes/storage-operations/create-pvcs/access-via-non-root-users/

Bạn thêm như anh bên dưới:

dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        fsGroup: 1000
      terminationGracePeriodSeconds: 30
Đã ngon rồi nhé!
Kubernetes

Post navigation

Previous Post: [Jquery] Disable ajaxStart per page or the particular action Ajax.
Next Post: [Terraform] – Terraform Beginner – Lesson 8: Terraform Functions and Conditional Expressions

More Related Articles

[K8s] Hướng dẫn sử dụng kubectl trên mấy local kết nối đến k8s master Kubernetes
[HPA/Kubernetes] Scale Up As Usual, Scale Down Very Gradually – behavior in HPA K8s Kubernetes
[Kubernetes] RBAC Demo Kubernetes
[Kubernetes] How to delete Persistent Volume is Terminating and very stubborn Kubernetes
[KOS] Use KOS to install kubernetes so easily! Kubernetes
[Kubernetes] How to delete POD is Terminating and very stubborn Kubernetes

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Tham Gia Group DevOps nhé!
Để Nim có nhiều động lực ra nhiều bài viết.
Để nhận được những thông báo mới nhất.

Recent Posts

  • Protected: My Assignment  June 24, 2022
  • [Spinnaker] Spinnaker writes too many logs – Reduce spinnaker log level June 22, 2022
  • [Jenkins] Jobs will be created automatically by Jenkins Job Builder June 20, 2022
  • [Postgresql] Install postgresql client and trying a few command postgresql. June 20, 2022
  • [Mount/Nextcloud] How do you mount a hard disk that was used windows into Linux. June 19, 2022

Archives

  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021

Categories

  • BareMetal
  • CI/CD
    • ArgoCD
    • ArgoWorkflows
    • Jenkins
    • Spinnaker
  • Coding
    • Git
    • Golang
    • Jquery & JavaScript
    • Laravel
    • Selenium
    • Terraform
      • AWS – Amazon Web Service
      • GCP – Google Cloud
  • Kubernetes & Container
    • Apache Kafka
      • Kafka
      • Kafka Connect
      • Lenses
    • Docker
    • Helm Chart
    • Isito-EnvoyFilter
    • Kubernetes
      • Ingress
    • Longhorn – Storage
    • Vault
    • VictoriaMetrics
  • Log & Monitor
    • ELK
      • Kibana
      • Logstash
    • Grafana
    • Prometheus
  • Uncategorized
  • Admin

Copyright © 2022 NimTechnology.