I have a question about Kubernetes security context, it confused me several days, describe the question is quite simple, let me explain:
Our team has deployed several pods with security context parameter as below:
apiVersion: apps/v1 kind: StatefulSet metadata: name: demo spec: securityContext: runAsUser: 9999 runAsGroup: 9999 ...
and then we have entered the pods and exec command id and ps -ef:
[root@Fog ~ (Master)]# kubectl exec -it demo -n hxia /bin/bash bash-5.0$ id uid=9999 gid=9999 groups=9999,0(root) bash-5.0$ ps -ef UID PID PPID C STIME TTY TIME CMD 9999 1 0 0 Apr28 ? 00:00:10 /usr/bin/ministarter 9999 8 1 0 Apr28 ? 00:00:00 /bin/bash bin/start_event.sh
seems the configure works, indeed. But we have a question raised up: after cat /etc/[group|passwd], we haven’t find the id 9999 exist in those files. and also compare the user namespace, we see there is the same user namespace between container and host:
bash-5.0$ cat /etc/group | grep 9999 bash-5.0$ cat /etc/shadow | grep 9999 cat: /etc/shadow: Permission denied bash-5.0$ cat /etc/passwd | grep 9999 bash-5.0$ readlink /proc/$$/ns/user user: bash-5.0$ exit exit [root@Fog ~ (Master)]# readlink /proc/$$/ns/user user:
so based on the finding, we have a question as below:
why no 9999 exist in the /etc/[group|passwd], the uid can still work even without a user name? Do there are other special mechanisms to handle the user in Kubernetes?
help team can support us, thanks so so much!