Have a look at https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
You can assign a securityContext for the pod as such: securityContext: fsGroup: 1000 On Thursday, May 23, 2019 at 7:27:07 PM UTC-4, Quang Truong wrote: > > Hi, > > I start working with k8s and my working environment is the on-prem so I > try to build the on-prem k8s via kubeadm and calico cni: > > > http://www.centinosystems.com/blog/sql/getting-started-with-kubernetes-on-prem/ > https://docs.projectcalico.org/v3.7/getting-started/kubernetes/ > > I try to configure the service account for k8s plugin and run a simple > test but not sure which part I have done wrong the 1st run (when first > download the image to the cluster) the jnlp pod will use jenkins user > > + id > uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins) > + ls -lh /home/jenkins > total 8 > drwxr-sr-x 2 jenkins jenkins 4.0K Apr 29 11:54 agent > drwxr-xr-x 3 jenkins jenkins 4.0K May 23 22:45 workspace > > > But from the second, when the image is on the machine then the pod will > run with root user > > + id uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) > > > + ls -lh /home/jenkins > > total 8 > > drwxr-sr-x 2 jenkins jenkins 4.0K Apr 29 11:54 agent > > drwxr-xr-x 3 root root 4.0K May 23 22:45 workspace > > > Here is the pod describe > > Name: builder-0322cb0d-37be-438d-949c-fce0149039e5-5c743- > 2830b > Namespace: default > Priority: 0 > PriorityClassName: <none> > Node: <my_node_name>/<my_node_IP> > Start Time: Thu, 23 May 2019 16:18:00 -0700 > Labels: jenkins=slave > jenkins/builder-0322cb0d-37be-438d-949c-fce0149039e5= > true > Annotations: buildUrl: <my_jenkins_build_url> > cni.projectcalico.org/podIP: 192.168.243.226/32 > Status: Running > IP: 192.168.243.226 > Containers: > jnlp: > Container ID: docker: > //325602117ce4b0df6ef1d73e44ed7426251a0ea801990c065bce993e9af25cb4 > Image: jenkins/jnlp-slave:alpine > Image ID: docker-pullable: > //jenkins/jnlp-slave@sha256:3c4227433a1bbd070b250d491bdee1696e6c163cff8a470df9c848da94306693 > Port: <none> > Host Port: <none> > State: Running > Started: Thu, 23 May 2019 16:18:02 -0700 > Ready: True > Restart Count: 0 > Environment: > JENKINS_SECRET: <*my_jenkins_secret*> > JENKINS_AGENT_NAME: builder-0322cb0d-37be-438d-949c-fce0149039e5- > 5c743-2830b > JENKINS_NAME: builder-0322cb0d-37be-438d-949c-fce0149039e5- > 5c743-2830b > JENKINS_URL: <my_jenkins_url> > HOME: /home/jenkins > Mounts: > /home/jenkins from workspace-volume (rw) > /var/run/secrets/kubernetes.io/serviceaccount from default-token-tmzcc > (ro) > Conditions: > Type Status > Initialized True > Ready True > ContainersReady True > PodScheduled True > Volumes: > workspace-volume: > Type: EmptyDir (a temporary directory that shares a pod's > lifetime) > Medium: > SizeLimit: <unset> > default-token-tmzcc: > Type: Secret (a volume populated by a Secret) > SecretName: default-token-tmzcc > Optional: false > QoS Class: BestEffort > Node-Selectors: <none> > Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s > node.kubernetes.io/unreachable:NoExecute for 300s > Events: > Type Reason Age From Message > ---- ------ ---- ---- ------- > Normal Scheduled 30s default-scheduler Successfully assigned > default/builder-0322cb0d-37be-438d-949c-fce0149039e5-5c743-2830b to <> > Normal Pulled 28s kubelet, ubuntu Container image > "jenkins/jnlp-slave:alpine" already present on machine > Normal Created 28s kubelet, ubuntu Created container jnlp > Normal Started 28s kubelet, ubuntu Started container jnlp > > > > > I'm not sure where the problem is, from my k8s cluster or configuration > for jenkins connection, what should be the troubleshooting steps > > Any comments will be helped, much appreciate on reading my issue. > > Thanks, > Quang > > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/4aa3fc5c-04fa-4eff-92c0-3092fa737a8e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
