How it effective with security context runAsUser?

General Discussions
1

Hi team,

I have a question about Kubernetes security context, it confused me several days, describe the question is quite simple, let me explain:

Our team has deployed several pods with security context parameter as below:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: demo
spec:
      securityContext:
        runAsUser: 9999
        runAsGroup: 9999
...

and then we have entered the pods and exec command id and ps -ef:

[root@Fog ~ (Master)]# kubectl exec -it demo -n hxia /bin/bash
bash-5.0$ id
uid=9999 gid=9999 groups=9999,0(root)
bash-5.0$ ps -ef
UID          PID    PPID  C STIME TTY          TIME CMD
9999           1       0  0 Apr28 ?        00:00:10 /usr/bin/ministarter
9999           8       1  0 Apr28 ?        00:00:00 /bin/bash bin/start_event.sh

seems the configure works, indeed. But we have a question raised up: after cat /etc/[group|passwd], we haven’t find the id 9999 exist in those files. and also compare the user namespace, we see there is the same user namespace between container and host:

bash-5.0$ cat /etc/group | grep 9999
bash-5.0$ cat /etc/shadow | grep 9999
cat: /etc/shadow: Permission denied
bash-5.0$ cat /etc/passwd | grep 9999

bash-5.0$ readlink /proc/$$/ns/user
user:[4026531837]
bash-5.0$ exit
exit
[root@Fog ~ (Master)]# readlink /proc/$$/ns/user
user:[4026531837]

so based on the finding, we have a question as below:
why no 9999 exist in the /etc/[group|passwd], the uid can still work even without a user name? Do there are other special mechanisms to handle the user in Kubernetes?

help team can support us, thanks so so much!
Best regards,
hxia

2

[hxia] hxia https://discuss.kubernetes.io/u/hxia
April 30

Hi team,

I have a question about Kubernetes security context, it confused me
several days, describe the question is quite simple, let me explain:

Our team has deployed several pods with security context parameter as below:

apiVersion: apps/v1 kind: StatefulSet metadata: name: demo spec:
securityContext: runAsUser: 9999 runAsGroup: 9999 … |

and then we have entered the pods and exec command id and ps -ef:

[root@Fog ~ (Master)]# kubectl exec -it demo -n hxia /bin/bash
bash-5.0$ id uid=9999 gid=9999 groups=9999,0(root) bash-5.0$ ps -ef UID
PID PPID C STIME TTY TIME CMD 9999 1 0 0 Apr28 ? 00:00:10
/usr/bin/ministarter 9999 8 1 0 Apr28 ? 00:00:00 /bin/bash
bin/start_event.sh |

seems the configure works, indeed. But we have a question raised up:
after cat /etc/[group|passwd], we haven’t find the id 9999 exist in
those files. and also compare the user namespace, we see there is the
same user namespace between container and host:

bash-5.0$ cat /etc/group | grep 9999 bash-5.0$ cat /etc/shadow | grep
9999 cat: /etc/shadow: Permission denied bash-5.0$ cat /etc/passwd |
grep 9999 bash-5.0$ readlink /proc/$$/ns/user user:[4026531837]
bash-5.0$ exit exit [root@Fog ~ (Master)]# readlink /proc/$$/ns/user
user:[4026531837] |

so based on the finding, we have a question as below:
*why no 9999 exist in the /etc/[group|passwd], the uid can still work

You don’t need to have it in etc/passwd nor friends. You can use any UID
number when running a process. Is really that simple :slight_smile:

even without a user name? Do there are other special mechanisms to

Kubernetes doesn’t support user namespaces. All runs in the same user
namespace than the host. There is a KEP to add support for userns, but
not yet ready.

1 Like
3

Hi rata,
thank you so much for your answer, it helps me. :grin: