Giters

regclient / regclient

Docker and OCI Registry Client in Go and tooling using those libraries.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Issues Mounting RegSync Config to Kubernetes Pod - I think I need the UID of appuser

charles-horel-rogers opened this issue · comments

commented

Current Behavior

I am trying to deploy a job that runs regsync once. In order to do this I create a job that creates a pod. This pod mounts a dockerconfigjson secret as well as the regsync configmap (containing the regsync config).

The pod is able to mount the volumes, but when we hit the regsync entrypoint we get permission errors trying to read the file.

I suspect I just need to shell into the container and run whoami, grab the UID and set the mounted files to be owned by this UID in my manifest.

However, the container doesn't have sleep, id or even tail in the appuser's path, and I do not know how I can run the container in a way that will let me interact with the shell.

I think I just need tips on how to configure the security context of volume mounts to these pods. Specifically if the UID is known and can be provided that will probably be all that I need.

Expected Behavior

This behaviour is not expected or not expected because there is no documented deployment method for kubernetes in the installation instructions.

Steps To Reproduce

This kubernetes manifest should replicate the issue

apiVersion: v1
kind: Namespace
metadata:
  name: registry-sync
  labels:
    name: registry-sync
---
apiVersion: v1
data:
  regsync.yml: |-
    version: 1
    defaults:
      ratelimit:
        min: 100
        retry: 15m
      parallel: 2
    sync:
      - source: hashicorp/vault:1.15.2
        target: <privateregistry>/vault:1.15.2
        type: image
        interval: 60m
        backup: "backup-{{.Ref.Tag}}"
      - source: hashicorp/vault-k8s:1.3.1
        target: <privateregistry>/vault-k8s:1.3.1
        type: image
        interval: 60m
        backup: "backup-{{.Ref.Tag}}"
kind: ConfigMap
metadata:
  name: regsync-config
  namespace: registry-sync
---
apiVersion: batch/v1
kind: Job
metadata:
  name: registry-sync
  namespace: registry-sync
spec:
  template:
    spec:
      containers:
      - name: regsync
        image:  <privateregistry>/regsync:v0.6.0
        command: ['/home/appuser/regsync.yml','once']
        volumeMounts:
          - name:  <privateregistrycreds>
            mountPath: /home/appuser/.docker/
          - name: regsync-config-volume
            mountPath: /home/appuser/
        env:
          - name: HTTPS_PROXY
            value: "http:// <private_proxy>/"
          - name: NO_PROXY
            value: " <privateregistry>"
      imagePullSecrets:
        - name: regcred
      restartPolicy: OnFailure
      volumes:
        - name:  <privateregistrycreds>
          secret:
            secretName: regcred
            items:
              - key: .dockerconfigjson
                path: config.json
        - name: regsync-config-volume
          configMap:
            name: regsync-config

Version

v0.6.0

Environment

Running the tool as a job deploying a pod that mounts a configmap config in Kubernetes
Platform: Kubernetes 1.23
Registry: Harbor (but we are not getting far enough to interact with it)
Running as a container

Anything else

I think this is a usage problem, the SCC configuration to allow the appuser to read the mounted files should be added to docs (along with the kubernetes deployment instructions)

commented

As it turns out, I was not using the correct entrypoint. Changing command to args and supplying the following fixed my issues:

args: ['-c','/home/appuser/regsync.yml','once']