OpenShift:以非根用户身份访问挂载的文件系统

它与Kubernetes以及如何定义给定的持久卷有关。您可以查看 related GH Issue

添加 chmod/chown dockerfile中的行:

FROM alpine:3.10.3
RUN apk add --no-cache cifs-utils ca-certificates \
    && adduser -D -u 1000 chartmuseum
COPY bin/linux/amd64/chartmuseum /chartmuseum
RUN chmod +xr /chartmuseum
RUN chown 1000:1000 /chartmuseum
USER 1000
ENTRYPOINT ["/chartmuseum"]

以确保用户和组将被强制执行。

      containers:
        - name: chart-museum
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
            fsGroup: 1000

这就是我解决问题的方法。

1. 下载二进制文件 curl -LO https://s3.amazonaws.com/chartmuseum/release/latest/bin/linux/amd64/chartmuseum .
2. chmod +xr chartmuseum
3. 新建 Dockerfile 如下所示。基本上,使用用户名而不是ID chown chartmuseum 用户与否 root .

FROM alpine:3.10.3
RUN apk add --no-cache cifs-utils ca-certificates \
    && adduser -D -u 1000 chartmuseum
COPY chartmuseum /chartmuseum
RUN chown chartmuseum:chartmuseum /chartmuseum
RUN chown chartmuseum:chartmuseum /charts
USER chartmuseum
ENTRYPOINT ["/chartmuseum"]

4. 生成并将生成的Docker图像推送到例如。 somerepo/chartmuseum:0.0.0 .
5. 注意 ,创建 PersistentVolumeClaim 这里不包括。

kind: ConfigMap
apiVersion: v1
metadata:
  name: chart-museum
  namespace: demo
data:
  DEBUG: 'true'
  STORAGE: local
  STORAGE_LOCAL_ROOTDIR: "/charts"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: chart-museum
  namespace: demo
spec:
  selector:
    matchLabels:
      app: chart-museum
  replicas: 1
  template:
    metadata:
      labels:
        app: chart-museum
    spec:
      volumes:
        - name: pvc-charts
          persistentVolumeClaim:
              claimName: pvc-charts
      containers:
        - name: chart-museum
          image: somerepo/chartmuseum:0.0.0
          imagePullPolicy: Always
          ports:
            - containerPort: 8080
          envFrom:
            - configMapRef:
                name: chart-museum
          volumeMounts:
            - mountPath: "/charts"
              name: pvc-charts
          resources:
            limits:
              memory: "128Mi"
              cpu: "500m"
      imagePullSecrets:
        - name: us.icr.io.secret
---              
apiVersion: v1
kind: Service
metadata:
  labels:
    app: chart-museum
  name: chart-museum
  namespace: demo
spec:
  type: ClusterIP
  ports:
    - name: 8080-tcp
      port: 8080
      protocol: TCP
      targetPort: 8080
  selector:
    app: chart-museum
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  labels:
    app: chart-museum
  name: chart-museum
  namespace: demo
spec:
  port:
    targetPort: 8080-tcp
  tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: edge
  to:
    kind: Service
    name: chart-museum

ConfigMap 对象并使用 持久体积瞄准 https://chartmuseum.com/ )

 docker run --rm -it \
  -p 8080:8080 \
  -v $(pwd)/charts:/charts \
  -e DEBUG=true \
  -e STORAGE=local \
  -e STORAGE_LOCAL_ROOTDIR=/charts \
  chartmuseum/chartmuseum:latest

这个 Service 和 Route 在清单中向外部世界公开回购协议。

6. HOST/PORT 价值 oc get route/chart-museum -n demo https 在地址栏中按回车键。你应该看到海图博物馆的欢迎页面。这意味着安装成功。