kubernetes PodSecurityPolicy set to runAsNonRoot, pods are not getting started post that Getting error Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root
We are creating the user (appuser) uid -> 999 and group (appgroup) gid -> 999 in the docker container, and we are starting the container with that user.
But the pod creating is throwing error.
    Events:
      Type     Reason                 Age                From                           Message
      ----     ------                 ----               ----                           -------
      Normal   Scheduled              53s                default-scheduler              Successfully assigned app-578576fdc6-nfvcz to appmagent01
      Normal   SuccessfulMountVolume  52s                kubelet, appagent01  MountVolume.SetUp succeeded for volume "default-token-ksn46"
      Warning  DNSConfigForming       11s (x6 over 52s)  kubelet, appagent01  Search Line limits were exceeded, some search paths have been omitted, the applied search line is: app.svc.cluster.local svc.cluster.local cluster.local 
      Normal   Pulling                11s (x5 over 51s)  kubelet, appagent01  pulling image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
      Normal   Pulled                 11s (x5 over 51s)  kubelet, appagent01  Successfully pulled image "app.dockerrepo.internal.com:5000/app:9f51e3e7ab91bb835d3b85f40cc8e6f31cdc2982"
      Warning  Failed                 11s (x5 over 51s)  kubelet, appagent01  Error: container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root
.
The Kubernetes Pod SecurityContext provides two options runAsNonRoot and runAsUser to enforce non root users. You can use both options separate from each other because they test for different configurations. When you set runAsNonRoot: true you require that the container will run with a user with any UID other than 0.
If you want a pod to send requests directly to service resource you have to change pod's dnsPolicy to ClusterFirstWithHostNet . It should be used explicitly for pods running with hostNetwork: true . This way it will use cluster DNS and will be in host network.
runAsUser: 1000 means all containers in the pod will run as user UID 1000. fsGroup: 2000 means the owner for mounted volumes and any files created in that volume will be GID 2000.
Here is the implementation of the verification:
case uid == nil && len(username) > 0:
    return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root", username)
And here is the validation call with the comment:
// Verify RunAsNonRoot. Non-root verification only supports numeric user.
if err := verifyRunAsNonRoot(pod, container, uid, username); err != nil {
    return nil, cleanupAction, err
}
As you can see, the only reason of that messages in your case is uid == nil. Based on the comment in the source code, we need to set a numeric user value.
So, for the user with UID=999 you can do it in your pod definition like that:
securityContext:
    runAsUser: 999
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With