-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tar archive is created on /home/k6 instead of tmp #160
Comments
Any update on this? In a secured cluster, usually it is not allowed by administrators to run containers with a defined user. Thanks. |
Sadly, not yet. I don't think this is a hard issue to fix or test, hence the 'good first issue' label - I was kind of wondering if someone would want to push a contribution and then forgot it myself... @rgordill, thanks for the ping; I'll see if we can move it up and fix sooner. |
@rgordill I've grok-ed this problem a bit more and realized that I probably misunderstood it initially 😅 More precisely, I'm no longer sure what you mean by a "restricted namespace". Initializer pod is not using security context at the moment at all: shouldn't it be used for all pods in your setup? E.g. what you described in the "step to repeat" is not actually sufficient to repeat the bug. We can definitely add a |
Hi, @yorugac. When a container writes a file in a defined folder, it needs privileges to do it. In this case, it needs to be run as user 65534. Although the initializer is not using a security context, some security products through webhooks can enforce the user to be randomized, to be more secured. That leads to this issue, and the security constraints should be relaxed, but for the need to write on a folder. If the selected folder is writable by anyone (like |
This is the part I didn't realize. Seems something like OpenShift guidelines, I suppose. OK, I'll finish the fix and merge it in. Thank you for clarification! |
Brief summary
That means user should be 65534 or have access rights to that folder.
https://github.com/grafana/k6-operator/blob/main/pkg/resources/jobs/initializer.go#L57
If it is created in /tmp folder, any user could run the tests without any particular uid privilege.
k6-operator version or image
latest (8.0.0rc3)
K6 YAML
Other environment details (if applicable)
No response
Steps to reproduce the problem
Run k6 tests from a namespace with restricted users. For example
securityContext:
runAsUser: 1000
Expected behaviour
Archive stored and read successfully.
Actual behaviour
Permission denied errors.
The text was updated successfully, but these errors were encountered: