Kubernetes for Developers

Practical learning guide to Kubernetes
Chapter 12: Securing Kubernetes

12.4 Non-root containers

View in the book. Buy the book.

Non-root contianer error

Create this contianer

kubectl create -f Chapter12/12.4_NonRootContainers/1_permission_error/deploy.yaml

You’ll see CreateContainerConfigError

$ kubectl get pods
NAME                          READY   STATUS                       RESTARTS   AGE
timeserver-7f74d78bd7-dsrkv   0/1     CreateContainerConfigError   0          14s

Can investigate further with describe

$ kubectl describe pod timeserver-7f74d78bd7-dsrkv
Name:             timeserver-7f74d78bd7-dsrkv
Events:
  Type     Reason     Age               From                                   Message
  ----     ------     ----              ----                                   -------
  Warning  Failed     9s (x4 over 34s)  kubelet                                Error: container has runAsNonRoot and image will run as root (pod: "timeserver-7f74d78bd7-dsrkv_default(861b62db-3ab7-43ff-9560-75c5cad3be27)", container: timeserver-container)

See “Error: container has runAsNonRoot and image will run as root (pod: “timeserver-7f74d78bd7-dsrkv_default(861b62db-3ab7-43ff-9560-75c5cad3be27)”, container: timeserver-container)”

Runas

To fix, we can update the Deployment to specify the non-root user

Replace the previous one with

kubectl replace -f Chapter12/12.4_NonRootContainers/1_permission_error/deploy-runas.yaml

Now the Pod schedules, but crashes

$ kubectl get pods
NAME                         READY   STATUS   RESTARTS      AGE
timeserver-5d5449846-r7kpj   0/1     Error    2 (23s ago)   26s

View the logs

$ kubectl logs timeserver-5d5449846-r7kpj
Traceback (most recent call last):
  File "/app/server.py", line 52, in <module>
    startServer()
  File "/app/server.py", line 45, in startServer
    server = ThreadingHTTPServer(('', 80), RequestHandler)
  File "/usr/local/lib/python3.10/socketserver.py", line 452, in __init__
    self.server_bind()
  File "/usr/local/lib/python3.10/http/server.py", line 137, in server_bind
    socketserver.TCPServer.server_bind(self)
  File "/usr/local/lib/python3.10/socketserver.py", line 466, in server_bind
    self.socket.bind(self.server_address)
PermissionError: [Errno 13] Permission denied

Fix

Request lower Port

Rewire service

But this isn’t enough, you’ll still see an error

$ kubectl logs timeserver-demo-5fd5f6c7f9-cxzrb
10.22.0.129 - - [24/Mar/2022 02:10:43] “GET / HTTP/1.1” 200 –
Exception occurred during processing of request from (‘10.22.0.129’, 41702)
Traceback (most recent call last):
File “/usr/local/lib/python3.10/socketserver.py”, line 683, in
process_request_thread
self.finish_request(request, client_address)
File “/usr/local/lib/python3.10/socketserver.py”, line 360, in
finish_request
self.RequestHandlerClass(request, client_address, self)
File “/usr/local/lib/python3.10/socketserver.py”, line 747, in
__init__
self.handle()
File “/usr/local/lib/python3.10/http/server.py”, line 425, in
handle
self.handle_one_request()
File “/usr/local/lib/python3.10/http/server.py”, line 413, in
handle_one_request
method()
File “/app/server.py”, line 11, in do_GET
with open(“logs/log.txt”, “a”) as myfile:
PermissionError: [Errno 13] Permission denied: ‘logs/log.txt’

Need to also adjust permissions of the logs folder

This is contained in version 7, updating the Deployment:

Deploy these fixed versions

kubectl replace -f Chapter12/12.4_NonRootContainers/2_fixed/deploy.yaml
kubectl replace -f Chapter12/12.4_NonRootContainers/2_fixed/service.yaml

Now it’s working

$ kubectl get pods
NAME                          READY   STATUS    RESTARTS   AGE
timeserver-849d7b67d7-cgfz2   1/1     Running   0          19s