Issues Mounting RegSync Config to Kubernetes Pod - I think I need the UID of appuser
charles-horel-rogers opened this issue · comments
Current Behavior
I am trying to deploy a job that runs regsync once. In order to do this I create a job that creates a pod. This pod mounts a dockerconfigjson secret as well as the regsync configmap (containing the regsync config).
The pod is able to mount the volumes, but when we hit the regsync entrypoint we get permission errors trying to read the file.
I suspect I just need to shell into the container and run whoami, grab the UID and set the mounted files to be owned by this UID in my manifest.
However, the container doesn't have sleep, id or even tail in the appuser's path, and I do not know how I can run the container in a way that will let me interact with the shell.
I think I just need tips on how to configure the security context of volume mounts to these pods. Specifically if the UID is known and can be provided that will probably be all that I need.
Expected Behavior
This behaviour is not expected or not expected because there is no documented deployment method for kubernetes in the installation instructions.
Steps To Reproduce
This kubernetes manifest should replicate the issue
apiVersion: v1
kind: Namespace
metadata:
name: registry-sync
labels:
name: registry-sync
---
apiVersion: v1
data:
regsync.yml: |-
version: 1
defaults:
ratelimit:
min: 100
retry: 15m
parallel: 2
sync:
- source: hashicorp/vault:1.15.2
target: <privateregistry>/vault:1.15.2
type: image
interval: 60m
backup: "backup-{{.Ref.Tag}}"
- source: hashicorp/vault-k8s:1.3.1
target: <privateregistry>/vault-k8s:1.3.1
type: image
interval: 60m
backup: "backup-{{.Ref.Tag}}"
kind: ConfigMap
metadata:
name: regsync-config
namespace: registry-sync
---
apiVersion: batch/v1
kind: Job
metadata:
name: registry-sync
namespace: registry-sync
spec:
template:
spec:
containers:
- name: regsync
image: <privateregistry>/regsync:v0.6.0
command: ['/home/appuser/regsync.yml','once']
volumeMounts:
- name: <privateregistrycreds>
mountPath: /home/appuser/.docker/
- name: regsync-config-volume
mountPath: /home/appuser/
env:
- name: HTTPS_PROXY
value: "http:// <private_proxy>/"
- name: NO_PROXY
value: " <privateregistry>"
imagePullSecrets:
- name: regcred
restartPolicy: OnFailure
volumes:
- name: <privateregistrycreds>
secret:
secretName: regcred
items:
- key: .dockerconfigjson
path: config.json
- name: regsync-config-volume
configMap:
name: regsync-config
Version
v0.6.0
Environment
Running the tool as a job deploying a pod that mounts a configmap config in Kubernetes
Platform: Kubernetes 1.23
Registry: Harbor (but we are not getting far enough to interact with it)
Running as a container
Anything else
I think this is a usage problem, the SCC configuration to allow the appuser to read the mounted files should be added to docs (along with the kubernetes deployment instructions)
As it turns out, I was not using the correct entrypoint. Changing command to args and supplying the following fixed my issues:
args: ['-c','/home/appuser/regsync.yml','once']