Kubernetes container messing files owner

Question

I have a Debian box running Kubernetes, there I got ALL my production environment with nearly 50 deployments. My problem is that in one of the pods which is running Odoo server as a non priviledge user some files (not all of them) are being created with root user as owner.

this is my deployment yaml:

---
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
  namespace: odoo
  name: app
spec:
  selector:
    matchLabels:
      app: odoo
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: odoo
    spec:
      securityContext:
        fsGroup: 1000
      containers:
      - name: odoo
        image: my-odoo
        command:
        - /docker-entrypoint.sh
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
          name: odoo
        - containerPort: 110
          name: pop3
        - containerPort: 995
          name: pop3s
        - containerPort: 25
          name: smtp
        - containerPort: 993
          name: imaps
        volumeMounts:
        - name: home
          mountPath: /home
        - name: maildir
          mountPath: /var/mail
      volumes:
        - name: maildir
          hostPath:
            path: /mnt/odoo/maildir
        - name: home
          hostPath:
            path: /mnt/odoo/home

In my entrypoint script I run odoo using supervisord here is my conf:

[group:odoo]
programs = odoo-web, odoo-monitor, odoo-beat, odoo-worker-default-0, odoo-worker-cdr-1, odoo-worker-notifications-2, odoo-worker-default-notifications-3

[program:odoo-web]
user = odoo
directory = /home/odoo/var/run
command = /home/odoo/bin/odoo-bin --proxy-mode


[program:odoo-worker-default-0]
user = odoo
directory = /home/odoo/var/run
command = /home/odoo/bin/odoo-bin celery worker -l INFO -n default-0@%%h -c4 -Q odoo-10.0.default

[program:odoo-worker-cdr-1]
user = odoo
directory = /home/odoo/var/run
command = /home/odoo/bin/odoo-bin celery worker -l INFO -n cdr-1@%%h -c1 -Q odoo-10.0.cdr

[program:odoo-worker-notifications-2]
user = odoo
directory = /home/odoo/var/run
command = /home/odoo/bin/odoo-bin celery worker -l INFO -n notifications-2@%%h -c2 -Q odoo-10.0.notifications

[program:odoo-worker-default-notifications-3]
user = odoo
directory = /home/odoo/var/run
command = /home/odoo/bin/odoo-bin celery worker -l INFO -n default-notifications-3@%%h -c2 -Q odoo-10.0.default,odoo-10.0.notifications


[program:odoo-beat]
user = odoo
directory = /home/odoo/var/run
command = /home/odoo/bin/odoo-bin celery beat -s /home/odoo/var/celerybeat-schedule

[program:odoo-monitor]
user = odoo
directory = /home/odoo/var/run
command = /home/odoo/bin/odoo-bin celery flower`

As you can see all process are running as user odoo which has uid 1000.

My underlying docker file system is overlay2.

Can anyone tell me why I'm getting messed up owner in files created by a non root process?

Answer 1

As user1330614 mentioned in the comments:

I noticed that the user I'm using to run odoo can do sudo without password. I have removed that. Now files aren't getting wrong permissions so it maybe a bug in Odoo or in one of it dependencies or in python itself that permits a common user to become superuser with sudo, if NOPASSWD is specified in the sudoers.

However, Tim Hockin suggested to test current container user, because:

You asserted that Odoo server pods are running as non-privileged, but you don't set runAsUser anywhere, so they are probably still running as root:

• kubectl exec -ti into your container
• run id and see what the uid/gid are.

Answer 2

Well I've found a workaround: The user I'm using to run odoo can do sudo without password. I have removed that. Now files aren't getting wrong permissions so it maybe a bug in Odoo or in one of it dependencies or in python itself that permits a common user to become superuser with sudo, if NOPASSWD is specified in the sudoers.