English

UID/GID Assignment

In Kubernetes, each Pod runs with a specific User ID (UID) and Group ID (GID) to ensure security and proper access control. By default, Pods may run as the root user (UID 0), which can pose security risks. To enhance security, it's recommended to assign non-root UIDs and GIDs to Pods.

ACP allows to auto assign a namespace with specific UID and GID ranges to ensure that all Pods within the namespace run with the designated user and group IDs.

Enable UID/GID Assignment

To enable UID/GID assignment for a namespace, follow these steps:

Enter Project Management.
In the left navigation bar, click Namespace.
Click on the target namespace.
Click Actions > Upate Pod Security Policy.
Change the Enforce option value to Restricted, click Update.
Click edit icon next to Labels, add a label with key security.cpaas.io/enabled and value true, click Update. (To disable, remove this label or set the value to false.)
Click Save.

Verify UID/GID Assignment

The UID/GID Range

In the namespace details page, you can view the assigned UID and GID ranges in the Annotations.

The security.cpaas.io/uid-range annotation specifies the range of UID/GIDs that can be assigned to Pods in the namespace, e.g. security.cpaas.io/uid-range=1000002000-1000011999, means the uid/gid range is between 1000002000 to 1000011999.

Verify the Pod UID/GID

If the pod does not specify runAsUser and fsGroup in the securityContext, the platform will automatically assign the first value from the assigned uid range.

Create a Pod in the namespace with the following YAML configuration:

apiVersion: v1
kind: Pod
metadata:
  name: uid-gid-test-pod
spec:
  containers:
  - name: test-container
    image: busybox
    command: ["sleep", "3600"]

After the Pod is created, get the Pod yaml to check the assigned UID and GID:
```
kubectl get pod uid-gid-test-pod -n <namespace-name> -o yaml
```

the Pod YAML will show the assigned UID and GID in the securityContext section:

apiVersion: v1
kind: Pod
metadata:
  name: uid-gid-test-pod
spec:
  containers:
  - name: test-container
    image: busybox
    command: ["sleep", "3600"]
    securityContext:
      runAsUser: 1000000
  securityContext:
    fsGroup: 1000000

If the pod specifies runAsUser and fsGroup in the securityContext, the platform will validate if the specified UID/GID are within the assigned range. If they are not, the Pod creation will fail.

Create a Pod in the namespace with the following YAML configuration:

apiVersion: v1
kind: Pod
metadata:
  name: uid-gid-test-pod-invalid
spec:
  containers:
  - name: test-container
    image: busybox
    command: ["sleep", "3600"]
    securityContext:
      runAsUser: 2000000  # Invalid UID, outside the assigned range
  securityContext:
    fsGroup: 2000000  # Invalid GID, outside the assigned range

After applying the YAML, the Pod creation will fail with an error message indicating that the specified UID/GID are outside the assigned range.

View full docs as PDF

How to

Architecture

Concepts

Guides

How To

ALB

Trouble Shooting

Concepts

Guides

How To

Troubleshooting

Install

Concepts

Guides

How To

Disaster Recovery

Concepts

Guides

How To

Guides

How To

Compliance

HowTo

API Refiner

User

Guides

Group

Guides

Role

Guides

IDP

Guides

Troubleshooting

User Policy

Guides

Overview

Images

Guides

How To

Virtual Machine

Guides

How To

Troubleshooting

Network

Guides

How To

Storage

Guides

Backup and Recovery

Guides

Concepts

Namespaces

Creating Applications

Operation and Maintaining Applications

Application Rollout

KEDA(Kubernetes Event-driven Autoscaling)

How To

Workloads

Configurations

Application Observability

How To

How To

Install

How To

Overview

Install

Upgrade

Guides

How To

Concepts

Guides

Argo CD Concept

Alauda Container Platform GitOps Concepts

Creating GitOps Application

GitOps Observability

Architecture

Guides

How To

Guides

How To