Kubernetes：Linux用户管理 [英] Kubernetes: Linux user management

问题描述

我们正在Kubernetes中运行Docker容器。 Docker允许在主机系统级别的不同用户下运行容器。

We are running docker containers in Kubernetes. Docker allows to run containers under different users on host system level.

我正在查看多个Helm图表，似乎例如 Prometheus 以 nobody的身份运行，而格拉芙娜（Grafana）正在使用Dockerfile中的 useradd 创建其用户（硬编码ID）。

I was looking into several Helm charts and it seems that for example Prometheus is running as "nobody", while Grafana is creating its user (hardcoded id) using useradd in Dockerfile.

有什么方法可以标准化Kubernetes中的行为，可能确保仅存在容器上系统要求的用户？一旦将容器安排在其他位置，则将其删除。

Is there any way how to standardize the behavior in Kubernetes, possibly making sure that only users required on the system by containers are present? And removed once the container is scheduled elsewhere.

我还担心我们会遇到userId冲突，从而导致意外行为，这很难测试...

I am also worried that we will get userId collision, resulting in unexpected behavior, which will be hard to test...

推荐答案

容器并不需要在Docker主机上的容器内使用具有UID的用户。

It isn't necessary for a container to have a user with UID that is used inside the container on a docker host machine.

这里是示例：

On the docker host machine:

# Mongo container is running
root@docker-test:~# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
08495ae15f44        mongo:latest        "docker-entrypoint..."   23 minutes ago      Up 23 minutes       27017/tcp           some-mongo

# mongod process is running under UID 999
root@docker-test:~# ps aux | grep mongo | grep -v grep
999      14035  0.6  1.7 986136 67612 ?        Ssl  08:56   0:01 mongod --bind_ip_all

# there is no user with UID 999 id on the docker host machine
root@docker-test:~# cat /etc/passwd | grep 999
root@docker-test:~# 

Inside the container:

# attaching to container
root@docker-test:~# docker exec -it 08495ae15f44 bash

# mongod process is running with privileges of the mongodb user
root@08495ae15f44:/# ps aux | grep mongo | grep -v grep
mongodb      1  0.4  1.8 990320 70036 ?        Ssl  08:56   0:02 mongod --bind_ip_all

# user mongodb is present inside the container in /etc/passwd and has UID 999
root@08495ae15f44:/# cat /etc/passwd | grep mongodb
mongodb:x:999:999::/home/mongodb:/bin/sh
root@08495ae15f44:/# 

这篇关于Kubernetes：Linux用户管理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！