Kubernetes中的Pod启动命令

Question

I would like to add the docker command --user $(id -u):$(id -g) to my k8s deployment definition. What is the equivalent for that in k8s?

args or command?

How the container gets started normally:

docker run -d -p 5901:5901 -p 6901:6901 --user $(id -u):$(id -g) khwhahn/daedalus:0.1

k8s deployment
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  annotations:
    kompose.cmd: kompose --file docker-compose.yaml convert
    kompose.version: 1.10.0 (8bb0907)
  creationTimestamp: null
  labels:
    io.kompose.service: daedalus
  name: daedalus
spec:
  replicas: 1
  strategy:
    type: Recreate
  template:
    metadata:
      creationTimestamp: null
      labels:
        io.kompose.service: daedalus
    spec:
      containers:
      - env:
        - name: DISPLAY
        image: khwhahn/daedalus:0.1
        imagePullPolicy: Always
        ports:
          - containerPort: 5901
            name: vnc
            protocol: TCP
          - containerPort: 6901
            name: http
            protocol: TCP
        livenessProbe:
            httpGet:
              path: /
              port: 6901
              scheme: HTTP
            initialDelaySeconds: 10
            timeoutSeconds: 1
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 3
        readinessProbe:
          httpGet:
            path: /
            port: 6901
            scheme: HTTP
          initialDelaySeconds: 10
          timeoutSeconds: 1
          periodSeconds: 10
          successThreshold: 1
          failureThreshold: 3
        name: daedalus
        resources: {}
        volumeMounts:
        - mountPath: /tmp/.X11-unix
          name: daedalus-claim0
        - mountPath: /home/daedalus/daedalus/tls
          name: cardano-tls
      restartPolicy: Always
      volumes:
      - name: daedalus-claim0
        persistentVolumeClaim:
          claimName: daedalus-claim0
      - name: cardano-tls
        persistentVolumeClaim:
          claimName: cardano-tls
status: {}

Thanks

Answer 1

That was requested initially in kubernetes issue 22179 .

Implemented partially in:

• PR 52077: "API Changes for RunAsGroup" ,
• PR 756: "Allow specifying the primary group id of the container "

PodSecurityContext allows Kubernetes users to specify RunAsUser which can be overriden by RunAsUser in SecurityContext on a per Container basis.

Introduce a new API field in SecurityContext and PodSecurityContext called RunAsGroup .

See " Configure a Security Context for a Pod or Container ".