You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The range 1024/10000 means 10,000 values starting with ID 1024, so it specifies the range of IDs from 1024 to 11,023.
87
+
The range 1000/10000 means 10,000 values starting with ID 1000, so it specifies the range of IDs from 1000 to 10,999.
88
88
====
89
89
90
90
. Enable the use of Linux user namespaces by creating a pod configured to run with a `restricted` profile and with the `hostUsers` parameter set to `false`.
@@ -113,8 +113,8 @@ spec:
113
113
runAsNonRoot: true <2>
114
114
seccompProfile:
115
115
type: RuntimeDefault
116
-
runAsUser: 1024 <3>
117
-
runAsGroup: 1024 <4>
116
+
runAsUser: 1000 <3>
117
+
runAsGroup: 1000 <4>
118
118
hostUsers: false <5>
119
119
120
120
# ...
@@ -158,7 +158,7 @@ sh-5.1$ id
158
158
.Example output
159
159
[source,terminal]
160
160
----
161
-
uid=1024(1024) gid=1024(1024) groups=1024(1024)
161
+
uid=1000(1000) gid=1000(1000) groups=1000(1000)
162
162
----
163
163
164
164
.. Display the user ID being used in the container user namespace:
@@ -172,9 +172,9 @@ sh-5.1$ lsns -t user
172
172
[source,terminal]
173
173
----
174
174
NS TYPE NPROCS PID USER COMMAND
175
-
4026532447 user 3 1 1024 /usr/bin/coreutils --coreutils-prog-shebang=sleep /usr/bin/sleep 1000 <1>
175
+
4026532447 user 3 1 1000 /usr/bin/coreutils --coreutils-prog-shebang=sleep /usr/bin/sleep 1000 <1>
176
176
----
177
-
<1> The UID for the process is `1024`, the same as you set in the pod spec.
177
+
<1> The UID for the process is `1000`, the same as you set in the pod spec.
178
178
179
179
. Check the pod user ID being used on the node where the pod was created. The node is outside of the Linux user namespace. This user ID should be different from the UID being used in the container.
0 commit comments