Run smb-plugin container as a non-root user #970
Description
Is it possible to run the smb-plugin container as a non-root user? Since running containers as non-root is a common compliance and security requirement,I’d like to know if there is support or a recommended approach for this.
I encounter the below error while running with below Pod SecurityContext for setting non-root user.
Configure Pod SecurityContext
securityContext: runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001 allowPrivilegeEscalation: false readOnlyRootFilesystem: true
**Error: **
`
liveness-probe I0903 10:21:38.256954 1 connection.go:253] "Still connecting" address="unix:///csi/csi.sock" │
│ smb I0903 10:21:31.657847 1 main.go:102] set up prometheus server on :29645 │
│ smb I0903 10:21:31.658037 1 smb.go:129] │
│ smb DRIVER INFORMATION: │
│ smb ------------------- │
│ smb Build Date: "2024-07-18T12:17:31Z" │
│ smb Compiler: gc │
│ smb Driver Name: smb.csi.k8s.io │
│ smb Driver Version: v1.15.0 │
│ smb Git Commit: "" │
│ smb Go Version: go1.22.3 │
│ smb Platform: linux/amd64 │
│ smb │
│ smb Streaming logs below: │
│ smb I0903 10:21:31.658094 1 mount_linux.go:274] Cannot create temp dir to detect safe 'not mounted' behavior: mkdir /tmp/kubelet-detect-safe-umount1 │
│ 891746712: read-only file system │
│ smb I0903 10:21:31.658112 1 driver.go:93] Enabling controller service capability: CREATE_DELETE_VOLUME │
│ smb I0903 10:21:31.658115 1 driver.go:93] Enabling controller service capability: SINGLE_NODE_MULTI_WRITER │
│ smb I0903 10:21:31.658117 1 driver.go:93] Enabling controller service capability: CLONE_VOLUME │
│ smb I0903 10:21:31.658120 1 driver.go:112] Enabling volume access mode: SINGLE_NODE_WRITER │
│ smb I0903 10:21:31.658123 1 driver.go:112] Enabling volume access mode: SINGLE_NODE_READER_ONLY │
│ smb I0903 10:21:31.658125 1 driver.go:112] Enabling volume access mode: SINGLE_NODE_SINGLE_WRITER │
│ smb I0903 10:21:31.658127 1 driver.go:112] Enabling volume access mode: SINGLE_NODE_MULTI_WRITER │
│ smb I0903 10:21:31.658128 1 driver.go:112] Enabling volume access mode: MULTI_NODE_READER_ONLY │
│ smb I0903 10:21:31.658130 1 driver.go:112] Enabling volume access mode: MULTI_NODE_SINGLE_WRITER │
│ smb I0903 10:21:31.658131 1 driver.go:112] Enabling volume access mode: MULTI_NODE_MULTI_WRITER │
│ smb I0903 10:21:31.658136 1 driver.go:103] Enabling node service capability: STAGE_UNSTAGE_VOLUME │
│ smb I0903 10:21:31.658138 1 driver.go:103] Enabling node service capability: SINGLE_NODE_MULTI_WRITER │
│ smb I0903 10:21:31.658140 1 driver.go:103] Enabling node service capability: VOLUME_MOUNT_GROUP │
│ smb I0903 10:21:31.658143 1 driver.go:103] Enabling node service capability: GET_VOLUME_STATS
smb F0903 10:21:31.658187 1 server.go:83] Failed to remove //csi/csi.sock, error: remove //csi/csi.sock: permission denied │
│ Stream closed EOF for npss/csi-smb-node-2rbd4 (smb) │
│ node-driver-registrar I0903 10:21:28.658492 1 main.go:150] "Version" version="v2.11.1" │
│ node-driver-registrar I0903 10:21:28.658546 1 main.go:151] "Running node-driver-registrar" mode="" │
│ node-driver-registrar I0903 10:21:28.658550 1 main.go:172] "Attempting to open a gRPC connection" csiAddress="/csi/csi.sock" │
│ node-driver-registrar I0903 10:21:38.658676 1 connection.go:253] "Still connecting" address="unix:///csi/csi.sock" │
│ liveness-probe I0903 10:21:48.256830 1 connection.go:253] "Still connecting" address="unix:///csi/csi.sock" │
│ node-driver-registrar I0903 10:21:48.658605 1 connection.go:253] "Still connecting" address="unix:///csi/csi.sock"
I0903 10:21:38.256954 1 connection.go:253] "Still connecting" address="unix:///csi/csi.sock"
I0903 10:21:48.256830 1 connection.go:253] "Still connecting" address="unix:///csi/csi.sock"
I0903 10:21:58.256738 1 connection.go:253] "Still connecting" address="unix:///csi/csi.sock"
I0903 10:22:08.257111 1 connection.go:253] "Still connecting" address="unix:///csi/csi.sock"
`