Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubernetes runAsNonRoot incompatibility with run-user: _daemon_ #659

Open
berkayoz opened this issue Aug 1, 2024 · 0 comments
Open

Kubernetes runAsNonRoot incompatibility with run-user: _daemon_ #659

berkayoz opened this issue Aug 1, 2024 · 0 comments

Comments

@berkayoz
Copy link
Member

berkayoz commented Aug 1, 2024
edited
Loading

Bug Description

Some deployments are setting runAsNonRoot: true for the pod security context which prevents a container from running as root. To possibly address this we've set run-user: _daemon_ however Kubernetes checks uid/gid numerically and complains about the _daemon_ user.

You can find the Kubernetes implementation here

As a work around we have to set securityContext.runAsUser=584792 manually on manifests which hurts the drop-in image replacement story. Could we possibly set numeric UID as the OCI user by default?

Your help is much appreciated, many thanks!

To Reproduce

Deploy a Pod that uses a rock with the securityContext set as so

spec:
  securityContext:
    runAsNonRoot: true

You can also check out our cert-manager tests to verify it in a real world example.

Environment

Ubuntu 24.04

rockcraft.yaml

name: cert-manager-controller
summary: ROCK for the cert-manager-controller Project.
description: |
  This ROCK is a drop-in replacement for the autoscaling/cert-manager-controller image.
version: "1.12.2"
license: Apache-2.0

base: bare
build-base: [email protected]
platforms:
  amd64:
  arm64:

run-user: _daemon_
entrypoint-service: cert-manager-controller
services:
  cert-manager-controller:
    override: replace
    summary: "cert-manager-controller service"
    startup: enabled
    command: "/controller-linux [ -h ]"
    on-failure: shutdown

parts:
  cert-manager-controller:
    plugin: nil
    source: https://github.com/cert-manager/cert-manager.git
    source-type: git
    source-tag: v1.12.2
    source-depth: 1
    build-snaps:
      - jq
      - go/1.22/stable
    override-build: |
      # CTR=echo is hacky way of passing docker check not required for build
      make CTR=echo _bin/server/controller-linux-${CRAFT_PLATFORM}
      cp _bin/server/controller-linux-${CRAFT_PLATFORM} ${CRAFT_PART_INSTALL}/controller-linux
    prime:
      - controller-linux

Relevant log output

Error: container has runAsNonRoot and image has non-numeric user (_daemon_), cannot verify user is non-root
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@berkayoz