Home > Software design >  Kubernetes securityContext
Kubernetes securityContext

Time:10-29

I can't seem to understand why the below mentioned pod manifest isn't working if I remove spec.containers.command, the pod fails if I remove the command.

I took this example from the official documentation

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: busybox
    command: [ "sh", "-c", "sleep 1h" ]
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: false

CodePudding user response:

Because the busybox image doesn't run any process at start by itself. Containers are designed to run single application and shutdown when the app exits. If the image doesn't run anything it will immediately exit. In the Kubernetes the spec.containers.command overwrites the default container command. You can try changing the manifest image for i.e. image: nginx, remove the spec.containers.command and it will run, because that image as default Nginx server.

  • Related