Kubernetes:Linux用户管理 [英] Kubernetes: Linux user management
问题描述
我们正在Kubernetes中运行Docker容器。 Docker允许在主机系统级别的不同用户下运行容器。
We are running docker containers in Kubernetes. Docker allows to run containers under different users on host system level.
我正在查看多个Helm图表,似乎例如 Prometheus 以 nobody的身份运行,而格拉芙娜(Grafana)正在使用Dockerfile中的 useradd 创建其用户(硬编码ID)。
I was looking into several Helm charts and it seems that for example Prometheus is running as "nobody", while Grafana is creating its user (hardcoded id) using useradd in Dockerfile.
有什么方法可以标准化Kubernetes中的行为,可能确保仅存在容器上系统要求的用户?一旦将容器安排在其他位置,则将其删除。
Is there any way how to standardize the behavior in Kubernetes, possibly making sure that only users required on the system by containers are present? And removed once the container is scheduled elsewhere.
我还担心我们会遇到userId冲突,从而导致意外行为,这很难测试...
I am also worried that we will get userId collision, resulting in unexpected behavior, which will be hard to test...
推荐答案
容器并不需要在Docker主机上的容器内使用具有UID的用户。
It isn't necessary for a container to have a user with UID that is used inside the container on a docker host machine.
这里是示例:
On the docker host machine:
# Mongo container is running
root@docker-test:~# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
08495ae15f44 mongo:latest "docker-entrypoint..." 23 minutes ago Up 23 minutes 27017/tcp some-mongo
# mongod process is running under UID 999
root@docker-test:~# ps aux | grep mongo | grep -v grep
999 14035 0.6 1.7 986136 67612 ? Ssl 08:56 0:01 mongod --bind_ip_all
# there is no user with UID 999 id on the docker host machine
root@docker-test:~# cat /etc/passwd | grep 999
root@docker-test:~#
Inside the container:
# attaching to container
root@docker-test:~# docker exec -it 08495ae15f44 bash
# mongod process is running with privileges of the mongodb user
root@08495ae15f44:/# ps aux | grep mongo | grep -v grep
mongodb 1 0.4 1.8 990320 70036 ? Ssl 08:56 0:02 mongod --bind_ip_all
# user mongodb is present inside the container in /etc/passwd and has UID 999
root@08495ae15f44:/# cat /etc/passwd | grep mongodb
mongodb:x:999:999::/home/mongodb:/bin/sh
root@08495ae15f44:/#
这篇关于Kubernetes:Linux用户管理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!