kubernetes securitycontext runAsNonRoot不起作用

默认情况下，Nginx服务将期望对其配置路径（/ etc / nginx）具有读和写权限，因此非root用户将拥有对该路径的访问权限，这就是失败的原因。 您只设置了runAsNonRoot，但不能期望或保证容器将以用户1001的身份启动服务。请尝试将runAsUser显式设置为1001，如下所示，这应该可以解决您的问题。

apiVersion: v1
kind: Pod
metadata:
  name: buggypod
spec:
  containers:
    - name: container
      image: nginx
      securityContext:        
        runAsUser: 1001 

我尝试根据您的要求运行Pod。失败的原因是Nginx要求修改root拥有的/ etc /中的某些配置，当您运行AsNonRoot时，它失败了，因为它无法编辑Nginx的默认配置。

这是您在运行它时实际上遇到的错误。

10-listen-on-ipv6-by-default.sh: error: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2020/08/13 17:28:55 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges,ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges,ignored in /etc/nginx/nginx.conf:2
2020/08/13 17:28:55 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

我运行的规范。

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: buggypod
  name: buggypod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
  containers:
  - image: nginx
    name: buggypod
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

我的建议是您使用一个Dockerfile创建一个自定义的Nginx映像，该文件还会创建用户并为新的/var/cache/nginx、/etc/nginx/conf.d、/var/log/nginx文件夹提供权限创建的用户。这样您就可以将容器作为非根目录运行。