Можем ли мы предоставить имя пользователя, которое должно запускаться под / контейнерами в кубернетах?
В
Pod спецификации, есть возможность указать идентификатор пользователя, который должен запускаться всеми контейнерами
podSecurityContext:
runAsUser: <a numeric Id>
Есть ли способ изменить имя пользователя, как для модулей и контейнера Windows, как показано ниже.
securityContext:
windowsOptions:
runAsUserName: "ContainerUser"
1 ответ
Unfortunately, there is no such way.
WindowsSecurityContextOptions contain Windows-specific options and credentials. PodSecurityContext allows you to use:
securityContext.runAsUser(int64)The UID to run the entrypoint of the container process. Defaults touser specified in image metadata if unspecified. May also be set inSecurityContext. If set in both SecurityContext andPodSecurityContext, the value specified in SecurityContext takesprecedence for that container.
securityContext.runAsNonRoot(boolean)Indicates that the container must run as a non-root user. If true, theKubelet will validate the image at runtime to ensure that it does notrun as UID 0 (root) and fail to start the container if it does. Ifunset or false, no such validation will be performed. May also be setin SecurityContext. If set in both SecurityContext andPodSecurityContext, the value specified in SecurityContext takesprecedence.
securityContext.runAsGroup(int64)The GID to run the entrypoint of the container process. Uses runtimedefault if unset. May also be set in SecurityContext. If set in bothSecurityContext and PodSecurityContext, the value specified inSecurityContext takes precedence for that container.
Trying to use String instead of Integer for
runAsUser will result in error:
invalid type for io.k8s.api.core.v1.SecurityContext.runAsUser: got "string", expected "integer"