New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run verrazzano-api pod as non root user #967
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, but had a couple questions.
@@ -367,16 +365,16 @@ spec: | |||
items: | |||
- key: startup.sh | |||
path: startup.sh | |||
mode: 0744 | |||
mode: 0755 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are we adding execute permission for group+world?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when the config map containing these scripts is mounted at /api-config
, everything is owned by root. I tried specifying a securityContext section with runAsUser id 101 (the nginx default user www-data
) but still everything mounted is owned by root:root. The www-data
user is not a member of root group but needs to execute the scripts mounted from the config map.
@@ -342,9 +343,6 @@ spec: | |||
labels: | |||
app: {{ .Values.api.name }} | |||
spec: | |||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we delete the "run as user/group 0", what uid/gid does nginx run as?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It runs by default as user id 101 which is www-data:www-data
- here is their Dockerfile
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Description
Run verrazzano-api pod as non-root user. This required changing the default prefix path to a location that the nginx user has permissions to, and changing the permissions on some of the startup shell scripts, since those are owned by root.
Note: I tried to fix fluentd to not run as root, but from what I can gather, it needs root permission to read /var/log. Found some info here and here
Partially Fixes VZ-2504
Checklist
As the author of this PR, I have:
Code reviewer, please confirm this PR: