minikube + none driver permission issue

Created on 11 Dec 2017 · 6Comments · Source: kubernetes/minikube

FEATURE REQUEST

Environment:

Minikube version (use minikube version): v0.24.1

OS (e.g. from /etc/os-release): ubuntu 17.10 (Artful Aardvark) VM
VM Driver (e.g. cat ~/.minikube/machines/minikube/config.json | grep DriverName): none driver
ISO version (e.g. cat ~/.minikube/machines/minikube/config.json | grep -i ISO or minikube ssh cat /etc/VERSION):
Install tools: curl
Others:

What happened:
https://github.com/kubernetes/minikube
recommended minikube choice none driver if running on Linux VM, this is good and reasonable but few issues in above guideline.
1) to make consistence, assume minikube/kubectl/localkube binary located at /usr/local/bin, but minikube/kubectl downloaded to current folder and localkube go to /usr/local/bin

2) if run "minikube start --vm-driver=none" directly, will get permission denied:
E1211 12:05:55.387171 8520 start.go:223] Error updating cluster: error creating file at /usr/local/bin/localkube: open /usr/local/bin/localkube: permission denied

3) if run "sudo -E minikube start --vm-driver=none", then localkube run as root,
WARNING: IT IS RECOMMENDED NOT TO RUN THE NONE DRIVER ON PERSONAL WORKSTATIONS
The 'none' driver will run an insecure kubernetes apiserver as root that may leave the host vulnerable to CSRF attacks

What you expected to happen:
run minikube+localkube as normal user

1) why not move minikube and kubectl to /usr/local/bin as well ?

curl -Lo minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin

curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin

2) localkube owner changed from root to normal user after minikube start, seems works fine

I put all steps in small script, clean up and refresh install minikube none driver just in few mins.

How to reproduce it (as minimally and precisely as possible):
follow up https://github.com/kubernetes/minikube

Output of minikube logs (if applicable):

Anything else do we need to know:

Source

robertluwang

👍3

Most helpful comment

Localkube runs all the kubernetes components, but this means that it has to run containers, generate certs, etc.

Generating certificates is easily done as normal user.
Running containers is allowed by Docker itself to be done as normal user, via group: https://docs.docker.com/install/linux/linux-postinstall/

Not that adding sudo at the beginning is that big of an issue for me, but it is issue for _some_ and there seems to be no technical reason to require it.

hbielenia on 17 Aug 2018

👍5

All 6 comments

Localkube needs root permissions to run. Closing this

r2d4 on 14 Dec 2017

👎4

@r2d4 is there any official document mentioned the localkube has to be root? what is behind design reason? localkube just to launch all k8s services running to Linux, seems running well as normal user?

Thanks.

BR/
Robert

robertluwang on 14 Dec 2017

Localkube runs all the kubernetes components, but this means that it has to run containers, generate certs, etc. This follows the design that kubernetes is intended to run as root.

r2d4 on 14 Dec 2017

👎1 👍1

But why does it needs root? Shouldn't a user that can run containers and write to ~/.minikube should be enough?

omeid on 6 Jul 2018

Localkube runs all the kubernetes components, but this means that it has to run containers, generate certs, etc.

Generating certificates is easily done as normal user.
Running containers is allowed by Docker itself to be done as normal user, via group: https://docs.docker.com/install/linux/linux-postinstall/

Not that adding sudo at the beginning is that big of an issue for me, but it is issue for _some_ and there seems to be no technical reason to require it.

hbielenia on 17 Aug 2018

👍5