Apply UID/GID defaults from image #3665
Open
+0
−13
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sigv
force-pushed
the
runAsUserNull
branch
2 times, most recently
from
e9847eb
to
9a78b51
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3665 +/- ##
==========================================
+ Coverage 52.32% 52.35% +0.03%
==========================================
Files 61 59 -2
Lines 17502 16880 -622
==========================================
- Hits 9158 8838 -320
+ Misses 8015 7747 -268
+ Partials 329 295 -34 ☔ View full report in Codecov by Sentry. |
sigv
force-pushed
the
runAsUserNull
branch
6 times, most recently
from
a3a1fc0
to
f38706e
Compare
|
Not sure if CI / Smoke Tests (alpine, policies, 1.26.2) failure of internally observed 502 Bad Gateway response is relevant to this PR. 🤔
|
sigv
force-pushed
the
runAsUserNull
branch
12 times, most recently
from
ab538f7
to
67a9b99
Compare
sigv
force-pushed
the
runAsUserNull
branch
4 times, most recently
from
b975e9b
to
5344586
Compare
ADubhlaoich
reviewed
Mar 12, 2024
sigv
force-pushed
the
runAsUserNull
branch
6 times, most recently
from
c917bbe
to
f4b93df
Compare
sigv
force-pushed
the
runAsUserNull
branch
4 times, most recently
from
cd9cb44
to
11dc22e
Compare
sigv
force-pushed
the
runAsUserNull
branch
3 times, most recently
from
d3365a4
to
9f6c98c
Compare
sigv
force-pushed
the
runAsUserNull
branch
3 times, most recently
from
690f861
to
cec777a
Compare
|
Hi @sigv can you create a new issue for this as the one linked in description seems incomplete and WIP, we can then prioritise and review the PR, thanks! |
sigv
force-pushed
the
runAsUserNull
branch
3 times, most recently
from
f3b7352
to
f291fb8
Compare
`build/Dockerfile` specifies `USER 101` for `common` target, which is re-applied into the final images. Helm Chart/Manifests do not need to specify UID explicitly, and can instead use the image's UID. (PodSecurityContext v1 core specifies `runAsUser` defaults to user specified in image metadata if unspecified.) The existing `runAsNonRoot: true` flag (already in place) will ensure during runtime that the image is configured with a custom user ID. This is notably helpful for users running OpenShift, because OpenShift attempts to enforce custom UID/GID ranges for individual namespaces as part of `restricted-v2` Security Context Constraint. When removing hard-coded values from manifests, OpenShift will be able to assign its own UID/GID. In practice, this means a different model of configuring file system permissions. OpenShift assigns the container process GID 0 as supplemental to assist with that. Locations that are expected to be written to must be owned by GID 0, with group write permissions. Previous changes to `main` have ensured that is the case. Init container copying files is not a concern, as we will have the same UID as owner there as the main NIC container. Reference: https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids
github-actions
bot
removed
the
documentation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed changes
build/DockerfilespecifiesUSER 101forcommontarget, which is re-applied into the final images. Helm Chart/Manifests do not need to specify UID explicitly, and can instead use the image's UID. (PodSecurityContext v1 core specifiesrunAsUserdefaults to user specified in image metadata if unspecified.)The existing
runAsNonRoot: trueflag (already in place) will ensure during runtime that the image is configured with a custom user ID.This is notably helpful for users running OpenShift, because OpenShift attempts to enforce custom UID/GID ranges for individual namespaces as part of
restricted-v2Security Context Constraint. When removing hard-coded values from manifests, OpenShift will be able to assign its own UID/GID.In practice, this means a different model of configuring file system permissions. OpenShift assigns the container process GID 0 as supplemental to assist with that. Locations that are expected to be written to must be owned by GID 0, with group write permissions. Previous changes to
mainhave ensured that is the case.Init container copying files is not a concern, as we will have the same UID as owner there as the main NIC container.
Reference: A Guide to OpenShift and UIDs
Closes #5422.
Checklist
Before creating a PR, run through this checklist and mark each as complete.