Carlos Garcia
Reputation: 2970
Do I need to specify an UID in my Dockerfile when running in kubernetes
Having this dockerfile:
FROM debian:stretch
CMD ["cat", "/tmp/secrets.txt"]
I can then run
docker run -v /etc/shadow:/tmp/secrets.txt spycontainer
Even if I am not root, I will be able to see /etc/shadow !
How is Kubernetes avoiding somebody doing this? Do I need to make sure that every image has the UID in the dockerfile??
Upvotes: 0
Views: 1237
Answers (1)
hoque
Reputation: 6471
In kubernetes you can use pod security context
When you run a container without any security context, the entrypoint command with run as root. For example
$ kubectl run -i --tty busybox --image=busybox --restart=Never -- sh
/ # ps aux
PID USER TIME COMMAND
1 root 0:00 sh
If you use security context like following
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
Using runAsUser you can modify the user id of the process inside a container. For example
$ kubectl apply -f https://k8s.io/examples/pods/security/security-context.yaml
$ kubectl exec -it security-context-demo -- sh
/ $ ps aux
PID USER TIME COMMAND
1 1000 0:00 sleep 1h
6 1000 0:00 sh
Upvotes: 2
Related Questions
- Does Kuberenetes use the USER instruction from the Dockerfile?
- Can we provide a User Name that needs to be run as by a pod/containers in kubernetes?
- How to get user uid and name used in docker image
- The GID defined by "USER" in Dockerfile does not work in container of Pod
- Kubernetes - Can I Pass PodID to my Docker Container?
- How to get the uid and group id for an existing kubernetes username?
- Understanding Docker user/uid creation
- Using an explicit UID/GID in Dockerfile
- Dockerfile: is it necessary to specify which user before perform a RUN?
- Where can I configure the start user UID for Docker containers?