Home > Back-end >  SecurityContext of Containers UID
SecurityContext of Containers UID

Time:01-23

I am somewhat new to containers and I am looking for clarity on how best to establish a user with non-root privileges. This container is for Azure DevOps agent. By default, it appears the Dockerfile will run as root since there is nothing more specific specified in terms of users or UID.

Doing some research on this, I came across this VS Code tutorial that specifies how to setup a user with non-root privileges. Interesting enough, but it is unclear how that UID (in this case 1000) should work with the deployment yaml (below) in terms of the UID value.

If I specify a UID of 1000 in the Dockerfile, does that mean that I must also specify 1000 in the deployment yaml as I have below or are these UIDs completely separate and have nothing to do with each other?

Thanks for your input. Learning as I go along...

apiVersion: apps/v1
kind: Deployment
metadata:
  name: az-devops-locks
spec:
  replicas: 2
  selector:
    matchLabels:
      app.kubernetes.io/name: az-devops-locks
      app.kubernetes.io/instance: locks
  template:
    metadata:
      labels:
        app.kubernetes.io/name: az-devops-locks
        app.kubernetes.io/instance: locks
        aadpodidbinding: azdomilocks
    spec:
      securityContext:
        runAsUser: 1000
      containers:
      - name: "az-devops-locks"
        image: "xxxxx.azurecr.io/ado-agent:latest"
        securityContext:
          runAsUser: 1000
          allowPrivilegedEscalation: false
        env:
          - name: AZP_URL
            value: https://dev.azure.com/yyy
          - name: AZP_TOKEN
            valueFrom:
              secretKeyRef:
                name: ADOxxxx
                key: AZP_TOKEN
          - name: AZP_POOL
            value: Pool01
        volumeMounts:
        - mountPath: /var/run/docker.sock
          name: docker-volume
      volumes:
      - name: docker-volume
        hostPath:
          path: /var/run/docker.sock

CodePudding user response:

By default, it appears the Dockerfile will run as root since there is nothing more specific specified in terms of users or UID.

Actually no: it depends on your base image.

  • if said base image own Dockerfile specified a USER (said USER 1000)
  • and your Dockerfile does not specify a USER
  • then your own built image will inherit the USER of the base image.

If I specify a UID of 1000 in the Dockerfile, does that mean that I must also specify 1000 in the deployment yaml

You do not have to, but that is a way to enforce that the container will not use any other user to write file in your mounted folder.
Because if it was using any other user, since its process will run with the user ID you specify, it would not have the right to do any chow (as opposed to the default owner of a container process: root, which has the right to do... anything).
See "Set the security context for a Pod":

In the configuration file, the runAsUser field specifies that for any Containers in the Pod, all processes run with user ID 1000.
The runAsGroup field specifies the primary group ID of 3000 for all processes within any containers of the Pod.

If this field is omitted, the primary group ID of the containers will be root(0).

Page link:https//www.codepudding.com/Backend/680928.html

Prev:connecting pgadmin container and postgres container
Next:How to efficiently match a .htaccess RewriteRule for a complete word only if it's the last part
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding