-
Notifications
You must be signed in to change notification settings - Fork 32
Running kubectl container as a rootless user #3626
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -29,6 +29,17 @@ podman run --rm --name kubectl \ | |||||
| -v /localpath/to/customize:/home/user:Z | ||||||
| {{ image.pretty_reference }} kustomize --enable-helm | ||||||
| ``` | ||||||
| ## Running as a non-root user | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. maybe "regular user" ? |
||||||
|
|
||||||
| By default, this container runs as the `root` user. However, it is prepared to run as a non-privileged user (UID `999`) for enhanced security. | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this is a bit misleading, because how the container is being run is not specified by the container. the only thing we specify is the the user within the container. how you map that is dependent on how you invoke it. I think we should simply say "The container provides a preconfigured user called "user" which can be explicitly set to lower the permissions of kubectl within the container". |
||||||
|
|
||||||
| To run the container in rootless mode, you must explicitly set the user and the home environment variables: | ||||||
|
|
||||||
| ```ShellSession | ||||||
| podman run --rm --name kubectl \ | ||||||
| --user 999:100 \ | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. why do we hardcode this here? |
||||||
| -e HOME=/home/user \ | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. do we need this when the -v mount below is explicityly stating /home/user ? |
||||||
| -v /localpath/to/kubeconfig:/home/user/.kube/config:Z \ | ||||||
| {{ image.pretty_reference }} get nodes | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. why does it list "get nodes" here? |
||||||
|
|
||||||
| {% include 'licensing_and_eula.j2' %} | ||||||
Uh oh!
There was an error while loading. Please reload this page.