如何在 Kubernetes pod/container 中以非 root 用户身份登录
[英]How to logon as non-root user in Kubernetes pod/container
问题描述
I am trying to log into a kubernetes pod using the kubectl exec command.
我正在尝试使用 kubectl exec 命令登录到 kubernetes pod。 I am successful but it logs me in as the root user.我成功了,但它以 root 用户身份登录。 I have created some other users too as part of the system build.作为系统构建的一部分,我也创建了一些其他用户。
Command being used is "kubectl exec -it /bin/bash".使用的命令是“kubectl exec -it /bin/bash”。 I guess this means that run /bin/bash on the pod which results into a shell entry into the container.我想这意味着在 pod 上运行 /bin/bash 会导致进入容器的 shell 条目。
Can someone please guide me on the following -有人可以指导我以下 -
- How to logon using a non-root user?如何使用非root用户登录?
- Is there a way to disable root user login?有没有办法禁用root用户登录?
- How can I bind our organization's ldap into the container?如何将我们组织的 ldap 绑定到容器中?
Please let me know if more information is needed from my end to answer this?请让我知道是否需要更多信息来回答这个问题?
Thanks,谢谢,
Anurag阿努拉格
3 个解决方案
解决方案1
4 2019-03-13 09:47:36
You can use su - <USERNAME> to login as a non-root user.您可以使用su - <USERNAME>以非 root 用户身份登录。
Run cat /etc/passwd to get a list of all available users then identify a user with a valid shell compiler eg运行cat /etc/passwd以获取所有可用用户的列表,然后使用有效的 shell 编译器识别用户,例如
/bin/bash or /bin/sh /bin/bash或/bin/sh
Users with /bin/nologin and /bin/false as the set compiler are used by system processes and as such you can't log in as them.使用/bin/nologin和/bin/false作为设置编译器的用户被系统进程使用,因此您无法以他们的身份登录。
解决方案2
0 2018-08-15 22:52:18
I think its because the container user is root, that is why when you kubectl exec into it, the default user is root.我认为这是因为容器用户是 root,这就是为什么当你 kubectl exec 进入它时,默认用户是 root。 If you run your container or pod with non root then kubectl exec will not be root.如果您使用非 root 运行容器或 pod,则 kubectl exec 将不是 root。
解决方案3
0 2018-08-16 13:36:58
In most cases, there is only one process that runs in a Docker container inside a Kubernetes Pod.在大多数情况下,只有一个进程在 Kubernetes Pod 内的 Docker 容器中运行。 There are no other processes that can provide authentication or authorization features.没有其他进程可以提供身份验证或授权功能。 You can try to run a wrapper with several nested processes in one container, but this way you spoil the containerization idea to run an immutable application code with minimum overhead.您可以尝试在一个容器中运行具有多个嵌套进程的包装器,但这样会破坏容器化思想,以最小的开销运行不可变的应用程序代码。
kubectl exec runs another process in the same container environment with the main process, and there is no option to set the user ID for this process. kubectl exec在与主进程相同的容器环境中运行另一个进程,并且没有选项可以为该进程设置用户 ID。
However, you can do it by using docker exec with the additional option:但是,您可以使用带有附加选项的docker exec来实现:
--user , -u Username or UID (format: <name|uid>[:<group|gid>])
In any case, these two articles might be helpful for you to run IBM MQ in Kubernetes cluster无论如何,这两篇文章可能对您在 Kubernetes 集群中运行 IBM MQ 有所帮助
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.