-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't use non-root user with podSpecPatch #326
Comments
yo! @DrJosh9000 is gonna take a look at this for you, will get back to you soon. |
I'm not sure I understand exactly how this is falling down, but I'll post my debugging so far anyway. Quick recap - the scheduler does this:
So, if the Here's a pipeline that ran for me: agents:
queue: kubernetes
steps:
- label: ":pipeline:"
plugins:
- kubernetes:
podSpec:
securityContext:
runAsUser: 2000
runAsGroup: 2000
containers:
- name: "command"
image: "alpine:latest"
command: ["ash -c"]
args: ["'whoami ; id ; ls -l'"]
podSpecPatch:
containers:
- name: "checkout" which worked:
But I guess that's not ideal - you have to go back to specifying a bunch of things in My off-the-top-of-my-head solution would be: instead of conditioning the user/group creation logic on what the security context is at schedule time, the checkout container could compare current and intended UID/GID at run time. (Perhaps the command container should be doing the same thing.) |
Thanks for the context. I will see if I can get it working on my side like you described. As you said, not ideal but at least I could eliminate some of the other duplication. Just to clarify though, is the podSpecPatch containers entry for The solution you outlined does make sense to me, but I guess that would be a longer term thing eh? |
I was originally testing to see if the strategic merge patch used by As for timeline, I think it diminishes the usefulness of PodSpecPatch to have to work around it like that, so I hope to take a stab at a solution sooner rather than later. |
this solution worked for me |
Hi, I'm trying to use the new functionality introduced with #282 but running into some issues with checkout. I was initially seeing the checkout container error at startup with this message logged:
I compared the resulting pod spec from before and after and noticed that previously this logic seems to have been triggered to create a non-root user and it looks like that's no longer happening when using podSpecPatch.
I tried manually adding the root
securityContext
in my podSpecPatch but that causes other permissions errors after checkout, since it's trying to run as a non-root user later. It seems like the above linked logic needs to be triggered even when using podSpecPatch?The text was updated successfully, but these errors were encountered: