Run all containers as non-root user #3237
Conversation
knative-prow-robot
added
the
size/M
There was a problem hiding this comment.
@bradhoekstra: 0 warnings.
In response to this:
Related to #3001
Proposed Changes
- Run all containers as a non-root user
Release Note
Serving containers no longer run as root
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
|
/assign @mattmoor |
knative-prow-robot
added
size/L
That seems like a good idea, I can file an issue to follow up on that. |
|
/hold |
knative-prow-robot
added
the
do-not-merge/hold
|
I brought up the idea of building/publishing a nonroot image directly in distroless, but it was turned down: GoogleContainerTools/distroless#306. If we want a nonroot base image, it looks like we will have to build and publish that ourselves. |
|
Does |
|
@pmorie No, I'd expect |
|
Circling back on this - I am not sure where to take things from here. @mattmoor do you have any idea whether GoogleContainerTools/distroless#235 will be actionable? |
|
@pmorie Action taken GoogleContainerTools/distroless#368 |
|
Bump @bradhoekstra GoogleContainerTools/distroless#368 merged so you should have non-root distroless images to leverage now. If you've moved onto other things let us know and I can close/redo this PR. |
|
I can update this PR to use the new tags. |
|
Rebase and try again... |
Can the boskos project be shared by multiple jobs at once? |
|
/retest |
|
@bradhoekstra the failure looks legit: |
|
This is puzzling because if I deploy this image with the |
|
/retest |
|
FWIW, this passed for me locally, so I'm puzzled. One thing that comes to mind is that maybe |
| @@ -64,6 +64,8 @@ spec: | |||
| value: config-observability | |||
| - name: METRICS_DOMAIN | |||
| value: knative.dev/serving | |||
| securityContext: | |||
| allowPrivilegeEscalation: false | |||
There was a problem hiding this comment.
Can you elaborate on why this is needed to be set explicitly?
There was a problem hiding this comment.
This stops the user from being able to sudo or otherwise elevate privileges, without it starting the container as a non-root user does not mean the user cannot become root afterwards.
A good explanation is here: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
|
Somehow the tests passed now, maybe it was an issue due to project sharing? |
|
A thought: if the integration problem is due to the project sharing then merging this change may cause all sort of issues for PR integration tests until all PRs have picked up this change. |
Change-Id: I77370d1f198276f59e6033d8515d2c438c8f47c7
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bradhoekstra, mattmoor The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow-robot
added
the
approved
|
/retest |
3 similar comments
|
/retest |
|
/retest |
|
/retest |
|
when deploying latest serving code from master branch, encounter errors as below, In my environment, PodSecurityPolicy is enabled. |
| baseImageOverrides: | ||
| github.com/knative/serving/test/test_images/runtime-unprivileged: jenkins/jenkins:lts-slim | ||
| # Use :nonroot base image for all containers | ||
| defaultBaseImage: gcr.io/distroless/static:nonroot |
There was a problem hiding this comment.
If PodSecurityPolicy is enabled, this base image doesn't work.
Hit error as
"Warning Failed 7s (x4 over 22s) kubelet, 172.16.17.35 Error: container has runAsNonRoot and image has non-numeric user (nonroot), cannot verify user is non-root"
|
Sounds like we should enable PodSecurityPolicy in our test setup. GoogleContainerTools/distroless#375 should fix this. |
|
@yu2003w what's your exact pod security policy? |
Related to #3001
Proposed Changes
Release Note