Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Container has runAsNonRoot and image will run as root on ko-built image (v0.13.6) #4003

Closed
edbighead opened this issue Oct 24, 2023 · 1 comment
Closed

Container has runAsNonRoot and image will run as root on ko-built image (v0.13.6) #4003

edbighead opened this issue Oct 24, 2023 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@edbighead
Copy link

What happened:
The CreateContainerConfigError is happening after migrating to v0.13.6, caused by switching to ko #3835:

state:
  waiting:
    message: 'container has runAsNonRoot and image will run as root (pod: "external-dns-5bf5f97c4-bw7mg_kube-system(d7ec6cb8-d04d-4c40-b333-1b51c5b69219)",
      container: external-dns'
    reason: CreateContainerConfigError

What you expected to happen:
Container (built with ko) should be able to run as non-root

How to reproduce it (as minimally and precisely as possible):
Not using helm chart, here's the deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: external-dns
  namespace: kube-system
spec:
  selector:
    matchLabels:
      app: external-dns
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: external-dns
    spec:
      containers:
      - args:
        - --interval=5m
        - --events
        - --service-type-filter=LoadBalancer
        - --source=service
        - --source=ingress
        - --ingress-class=nginx-cluster
        - --ingress-class=nginx-internal
        - --domain-filter=redacted
        - --aws-zones-cache-duration=1h
        - --provider=aws
        - --registry=txt
        - --txt-owner-id=redacted
        image: registry.k8s.io/external-dns/external-dns:v0.13.6@sha256:404fafa9f814832bb0a46c562ce03b84dc6fb4326643e2315c17a15ffd0783e4
        name: external-dns
        ports:
        - containerPort: 7979
          name: http
          protocol: TCP
        resources:
          limits:
            cpu: 1000m
            memory: 1024Mi
          requests:
            cpu: 100m
            memory: 1024Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true
      priorityClassName: system-cluster-critical
      serviceAccountName: external-dns

Anything else we need to know?:
Works fine with v0.13.5

Environment:

  • External-DNS version (use external-dns --version): v0.13.6
  • DNS provider: aws
  • Others:
@edbighead edbighead added the kind/bug Categorizes issue or PR as related to a bug. label Oct 24, 2023
@edbighead
Copy link
Author

solved by adding runAsUser: 65534 to securityContext

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@edbighead