Set runAsUser for Container #657
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Johnson Shih <[email protected]>
johnsonshih
requested review from
bfjelds,
kate-goldenring,
jiria,
Britel,
romoh,
adithyaj and
diconico07
as code owners
Signed-off-by: Johnson Shih <[email protected]>
|
I think it would be better to change these containers to effectively run as non-root rather than allowing them to do so, I don't see any reason for this one to run as root. |
Signed-off-by: Johnson Shih <[email protected]>
Set runAsUser to run the container as non-root. |
diconico07
approved these changes
Sep 12, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Follow the instructions from "Discovering and Using USB Cameras" (https://docs.akri.sh/demos/usb-camera-demo) using microk8s and the akri-video-streaming-app container fails to start. The error is caused by the container is running as root and the setting in deployment specifies "runAsNonRoot=true", see the output below:
Events:
Type Reason Age From Message
Normal Scheduled 34s default-scheduler Successfully assigned default/akri-video-streaming-app-76c7b6849f-922wn to k8stest-4
Normal Pulled 32s kubelet Successfully pulled image "ghcr.io/project-akri/akri/video-streaming-app:latest-dev" in 948.654388ms
Normal Pulled 31s kubelet Successfully pulled image "ghcr.io/project-akri/akri/video-streaming-app:latest-dev" in 1.096890898s
Normal Pulled 17s kubelet Successfully pulled image "ghcr.io/project-akri/akri/video-streaming-app:latest-dev" in 1.173162548s
Normal Pulling 5s (x4 over 33s) kubelet Pulling image "ghcr.io/project-akri/akri/video-streaming-app:latest-dev"
Normal Pulled 4s kubelet Successfully pulled image "ghcr.io/project-akri/akri/video-streaming-app:latest-dev" in 953.775431ms
Warning Failed 4s (x4 over 32s) kubelet Error: container has runAsNonRoot and image will run as root (pod: "akri-video-streaming-app-76c7b6849f-922wn_default(821f9947-b5da-4f20-919a-62a5318ac027)", container: akri-video-streaming-app)
Add runAsUser: 1000 to run the container using uid 1000 (which is non-root)
Special notes for your reviewer:
If applicable:
cargo fmt)cargo build)cargo clippy)cargo test)cargo doc)