-
Bug
-
Resolution: Done
-
Critical
-
None
-
4.10
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
No
-
None
-
None
-
Rejected
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
https://catalog.redhat.com/software/containers/registry/registry.access.redhat.com/repository/rhel8/cups?container-tabs=overview Image name: rhel8/cups Issue: Using this image if i create pod with kube-admin it's working but it's not working for normal user. The pod is able to create with kubeadmin user with normal user if i create pod using this image pod getting "CrashLoopBackOff" Customer wants rhel8/cups or rhel9/cups image should be run on a OpenShift cluster with unpriviledged
Version-Release number of selected component (if applicable):
How reproducible:
In my cluster also same result it's working for kubeadmin but normal user it's not working
[quickcluster@upi-0 ~]$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: user-pod
namespace: example-namespace
spec:
containers:
- name: user-container
image: registry.redhat.io/rhel8/cups:latest
ports:
- containerPort: 8989
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2023-07-12T16:02:28Z"
status: "True"
type: Initialized
- lastProbeTime: null
lastTransitionTime: "2023-07-12T16:02:28Z"
message: 'containers with unready status: [user-container]'
reason: ContainersNotReady
status: "False"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2023-07-12T16:02:28Z"
message: 'containers with unready status: [user-container]'
reason: ContainersNotReady
status: "False"
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: "2023-07-12T16:02:28Z"
status: "True"
type: PodScheduled
containerStatuses:
- containerID: cri-o://f42233fbb1b9210a871a644871f1a02b161c678c06ad7ef439cbdb2991c02702
image: registry.redhat.io/rhel8/cups:latest
imageID: registry.redhat.io/rhel8/cups@sha256:2e9b661451954642c7f201f5cbb237f32428a1c470b91bb64a39756e92caa0f6
lastState:
terminated:
containerID: cri-o://f42233fbb1b9210a871a644871f1a02b161c678c06ad7ef439cbdb2991c02702
exitCode: 1
finishedAt: "2023-07-12T16:02:53Z"
reason: Error
startedAt: "2023-07-12T16:02:53Z"
name: user-container
ready: false
restartCount: 2
started: false
state:
waiting:
message: back-off 20s restarting failed container=user-container pod=user-pod_example-namespace(fabf1646-16a2-4b70-83ad-2a73e0025c27)
reason: CrashLoopBackOff
hostIP: 10.0.88.252
phase: Running
podIP: 10.128.2.23
podIPs:
- ip: 10.128.2.23
qosClass: BestEffort
startTime: "2023-07-12T16:02:28Z"
[quickcluster@upi-0 ~]$ ls
cluster-monitoring-config.yaml oauth.yaml oc4 ocp4cert_approver.sh pod.yaml rb.yaml role.yaml
[quickcluster@upi-0 ~]$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: user-pod
namespace: example-namespace
spec:
containers:
- name: user-container
image: registry.redhat.io/rhel8/cups:latest
ports:
- containerPort: 631
Steps to Reproduce:
1. 2. 3.
Actual results:
The unprivileged user not able to run this image getting pod CrashLoopBackOff
Expected results:
Image should run with unprivileged user
Additional info:
The issue seems to come from the fsGroup as well as the runAsUser which get injected by OpenShift. If I create the container as admin those settings are mising which magicaly makes the container work.
...
securityContext:
seLinuxOptions:
level: 's0:c74,c9'
fsGroup: 1005420000
...
securityContext:
capabilities:
drop:
- KILL
- MKNOD
- SETGID
- SETUID
runAsUser: 1005420000
