DEV Community

Cover image for Run Kubernetes Pod with root privileges (not recommended)
TechWorld with Nana
TechWorld with Nana

Posted on • Edited on

Run Kubernetes Pod with root privileges (not recommended)

Problem:

Most Docker containers and the processes inside run with non-root user, because of better security. If the container process is running with root (uid 0) it will be the same root as on the host. In this case user may get access to host from the container, thus gaining the root privilege on the host. This is of course a security concern.

However there can be a case when you need to run a container with root privilege because of permission issues of the volumes on the host.

Solution:

In order to run a container inside a pod with root, add following config:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: my-app
spec:
  template: 
    spec:
      containers:
      - image: my-image
        name: my-app
        ...
        securityContext:
          allowPrivilegeEscalation: false
          runAsUser: 0
Enter fullscreen mode Exit fullscreen mode

Now when you enter the 'my-image' container with docker exec or kubectl exec, you will see that the user is root. πŸ™ŒπŸΌ


⭐️ FREE Docker & Kubernetes course ⭐️

I'm happy to connect with you on πŸ™‚

Top comments (14)

Collapse
 
darint00 profile image
darint00

I know everyone always says don't run as ROOT. But what if you are using a database system that has to run as root. It's easy to say "dont do this" but in a situation like this, how do you protect all othe containers/pods from this "crazy" pod that runs processes as root.

Collapse
 
techworld_with_nana profile image
TechWorld with Nana

I have started the article by explicitly stating that this has a security issue. and for more context, I have done this as a quick fix, specifically for Jenkins that was running in a docker container. And if Jenkins job builds and pushes a Docker image, it will need the docker commands. So mounting the docker process into the Jenkins container was a work around I found for this case.

You are more than welcome to suggest SPECIFIC alternative solutions, instead of generally stating it's a bad solution, which I myself already mentioned in the article. Thanks.

Collapse
 
sebastiandg7 profile image
SebastiΓ‘n Duque G • Edited

For other readers: running a container with root privileges is a DEFINITELY NO.

I kind of get you. The reason of why others are pointing this is a super bad practice/anti-pattern is because your post title is "Run Kubernetes Pod with root privileges" (tagged with #tutorial and with a very elaborated and motivational image), that title is more a How-To guide than an advice request. So yes, is important to point this is a bad practice before other more inexperienced devs/devops read it.

You could change your post's purpose asking for recommendations in how to fix your permissions issues, tag it with #help and you will see the difference in the replys.

Collapse
 
techworld_with_nana profile image
TechWorld with Nana

Thanks for pointing this out! I actually will adjust it, because could really be misleading

Thread Thread
 
exadra37 profile image
Paulo Renato

Still contains the tag tutorial.

This kind of article is what promotes bad practices all over the internet.

This just remembers the chmod 777 all around StackOverflow as a way of solving issues.

Thread Thread
 
techworld_with_nana profile image
TechWorld with Nana • Edited

I removed the tag..don't know why it was not saved.

Just archived it. I don't rely on that post anyway.

Collapse
 
exadra37 profile image
Paulo Renato

However there can be a case when you need to run a container with root privilege because of permission issues of the volumes on the host.

Fix the permissions issues, not resort to run as root.

Sorry to tell you but youre article is really BAD ADVICE, specially when coming from a "senior" devops "engineer".

Collapse
 
techworld_with_nana profile image
TechWorld with Nana

see above!

Collapse
 
lariskovski profile image
Larissa

Well, thank you for the work around. <3 I don't understand people saying over and over it's an anti-pattern and then not offering a better solution lol anyway, here's a init container that might work in case of volume issues:

  initContainers:
    - name: fix-ownership
      image: alpine:3.6
      command: ["chown", "-R", "1000:100", "/somedir"]
      volumeMounts:
        - name: data
          mountPath: /somedir
Collapse
 
adam_cyclones profile image
Adam Crockett πŸŒ€

It sounds like more of a security door is wide open than a concern, you don't seem phased, why is this?
Genuine question btw, some security problems sound way worse then they are.

Collapse
 
techworld_with_nana profile image
TechWorld with Nana

see above!

Collapse
 
micousin profile image
Micousin

Thank you very much I have been looking for this solution for a very long time

Collapse
 
techworld_with_nana profile image
TechWorld with Nana

see above!

Collapse
 
aguero profile image
Aguero

Maybe you can create a separate namespace with a policy that only this pod has this. The other part is to do the install required by root and then change to a non-root usage.