Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Containers are running as root #53

Closed
vyusufcan opened this issue Sep 24, 2019 · 5 comments
Closed

Containers are running as root #53

vyusufcan opened this issue Sep 24, 2019 · 5 comments
Labels
bug Something isn't working

Comments

@vyusufcan
Copy link




Describe the bug
I get a warning even though the containers dont run as root user.

My Dockerfile

FROM microsoft/dotnet:2.1-sdk
WORKDIR /build_dir
COPY . .

RUN dotnet restore /build_dir/src/Banners/Banners.csproj
RUN dotnet restore /build_dir/tests/Banners.IntegrationTests/Banners.IntegrationTests.csproj
RUN dotnet restore /build_dir/tests/Banners.UnitTests/Banners.UnitTests.csproj
RUN dotnet build /build_dir/src/Banners/Banners.csproj
RUN dotnet test /build_dir/tests/Banners.UnitTests/Banners.UnitTests.csproj
RUN dotnet publish /build_dir/src/Banners/Banners.csproj -o /publish

WORKDIR /publish

RUN groupadd -r storefront && useradd -r -g storefront storefront
RUN chown -R storefront:storefront /build_dir
USER storefront

ENTRYPOINT ["dotnet", "Banners.dll"]

Deployment.yaml

And I added this block on my deployment.yaml

securityContext:
runAsUser: 999
runAsGroup: 999
runAsNonRoot: true
allowPrivilegeEscalation: false

Versions:

  • Popeye 0.4.3
  • K8s 1.12.2

What am I doing wrong? Thanks for your help.
@derailed derailed added the bug Something isn't working label Sep 27, 2019
@derailed
Copy link
Owner

@vcan92 Thank you for your report! I'll take a look...

@djablonski-moia
Copy link
Contributor

Hi @vcan92!

You probably added the securityContext / runAsNonRoot on container level. This is okay, but it does not prevent running other containers in the pod as root, and is therefore not sufficient to satisfy the sanitizer.
I've had the same problem, and there is already a fix for the wording of the message that's merged (but not yet released), which should make it more clear that this check does not actually check if the container runs as root, but it potentially could.
To fix this all the way (and if no other containers in your pods might require root), you could move the runAsNonRootsetting to pos level, where a securityContext is also applicable. This enforces the rule for all containers, and also satisfies the sanitizer.

@derailed
Copy link
Owner

@djablonski-moia Thank you for your help on this issue!! You are correct! I'll push a new release soon to correct the wording.

@johanfleury
Copy link

I'm not sure I understand. Do you mean that containers could be running as root with the following securityContext set at the pod level?

securityContext:
  runAsUser: 65534
  runAsGroup: 65534
  fsGroup: 65534

@derailed
Copy link
Owner

derailed commented Jan 8, 2020

@vcan92 @johanfleury @djablonski-moia Think there was indeed an issue with the pod security sanitizer. Think is fixed in 0.6.1!

@johanfleury I think @djablonski-moia is talking about setting the security context at the container level vs the pod. If you set it at the pod level then all containers will inherit their contexts from the pod and the kubelet with start the container(s) in that context.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@derailed @johanfleury @vyusufcan @djablonski-moia