kubernetes securitycontext runAsNonRoot Not working

我尝试根据您的需求运行pod。它失败的原因是Nginx需要修改root拥有的/etc/中的一些配置，当你运行AsNonRoot时，它失败了，因为它无法编辑Nginx的默认配置。

这是你运行它时实际得到的错误。

10-listen-on-ipv6-by-default.sh: error: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2020/08/13 17:28:55 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2020/08/13 17:28:55 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

我运行的规范。

apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: buggypod
name: buggypod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- image: nginx
name: buggypod
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}

我的建议是创建一个带有Dockerfile的自定义Nginx镜像，该镜像还创建用户，并为新创建的用户提供对文件夹/var/cache/Nginx、/etc/Nginx/conf.d、/var/log/Nginx的权限。这样就可以实现以非根目录的身份运行容器。

Nginx服务将期望对其配置路径(/etc/Nginx(具有读写权限，默认情况下，非root用户将拥有对该路径的访问权限，这是它失败的原因。您只设置了runAsNonRoot，但不能期望或保证容器将以用户1001的身份启动服务。请尝试将runAsUser显式设置为1001，如下所示，这将解决您的问题。

apiVersion: v1
kind: Pod
metadata:
name: buggypod
spec:
containers:
- name: container
image: nginx
securityContext:        
runAsUser: 1001