dockerkubernetesmicrok8scontainerd

Execute command as another user in container using containerd's ctr


I've installed microk8s on Ubuntu to have a simple Kubernetes cluster for test purposes.

I have a usecase where I have to execute a command in a container (in a kubernetes pod) with another user than the one which is used to run the container.

Since kubectl does not provide such a possibility, the workaround for docker environment is to use docker exec -u. But the Kubernetes cluster installed by microk8s does not use docker as container runtime, but only containerd.

I did not find a possibility to execute a command (as it is possible with docker) in a container as another user with containerd's ctr cli.

Is there a possibility?


Solution

  • As noted in the comment:

    @buderu I'm afraid this will not be possible with containerd's ctrl cli as per this documentation.

    Citing above documentation:

    Mapping from docker cli to crictl

    The exact versions for below mapping table are for docker cli v1.40 and crictl v1.19.0.

    docker cli crictl Description Unsupported Features
    attach attach Attach to a running container --detach-keys, --sig-proxy
    exec exec Run a command in a running container --privileged, --user, --detach-keys

    A way to approach the problem would be the following: use crictl exec to run a UID-changing program which in turn runs the desired payload; for example, to run a login bash shell as user with UID 1000:

    A word about gosu. It's Go-based setuid+setgid+setgroups+exec program:

    $ gosu
    Usage: ./gosu user-spec command [args]
       eg: ./gosu tianon bash
           ./gosu nobody:root bash -c 'whoami && id'
           ./gosu 1000:1 id
    
    ./gosu version: 1.1 (go1.3.1 on linux/amd64; gc)
    

    You can read more about it by following it's github page:

    It's worth noting that the solution above won't work with a generic container.

    User is required to install mentioned program by either:

    A side note!

    Using second option (downloading straight into the container) required also to run:

    • $ chmod +x ./gosu

    Additional notes to consider: