Using runAsNonRoot in Kubernetes

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP


Using runAsNonRoot in Kubernetes



We’ve been planning for a long time to introduce securityContext: runAsNonRoot: true as a requirement to our pod configurations for a while now.


securityContext: runAsNonRoot: true



Testing this today I’ve learnt that since v1.8.4 (I think) you also have to specify a particular UID for the user running the container, e.g runAsUser: 333.


v1.8.4


runAsUser: 333



This means we not only have to tell developers to ensure their containers don’t run as root, but also specify a specific UID that they should run as, which makes this significantly more problematic for us to introduce.



Have I understood this correctly? What are others doing in this area? To leverage runAsNonRoot is it now required that Docker containers run with a specific and known UID?


runAsNonRoot




2 Answers
2



The Kubernetes Pod SecurityContext provides two options runAsNonRoot and runAsUser to enforce non root users. You can use both options separate from each other because they test for different configurations.


runAsNonRoot


runAsUser



When you set runAsNonRoot: true you require that the container will run with a user with UID 0. No matter which UID your user has.
When you set runAsUser: 333 you require that the container will run with a user with UID 333.


runAsNonRoot: true


runAsUser: 333



What are others doing in this area?



We are using runAsUser in situations where we don't want root to be used. Granted, those situations are not that frequent as you might think, since philosophy of deployment of 'processes' as separated pod's containers inside kubernetes cluster architecture differs from traditional compound monolithic deployment on single host where security implications of breach are quite different...


runAsUser



Most of our local development is done either on minicube or docker edge with k8s manifests so setup is as close as possible to our deployment cluster (apart from obvious limits). With that said, we don't have issues with user id allocation since initialization of persistent volume is not done externally so all file user/group ownership is done within pods with proper file permissions. On very rare occasions that docker is used for development, developer is instructed to set appropriate permissions manually across mounted volumes but that rare happens.






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

Visual Studio Code: How to configure includePath for better IntelliSense results

Image
Clash Royale CLAN TAG #URR8PPP Visual Studio Code: How to configure includePath for better IntelliSense results so I am a complete beginner to using Visual Studio Code and I have no clue what I am doing. I've searched around (maybe not enough), but I cant find just a simple explanation for someone like me on how to configure the c_cpp_properties.json file that I am redirected to whenever I click on the yellow lightbulb next to a line that is underlined with a green squiggle. Lightbulb example c_cpp_properties.json I just want to know what to put in the .json to make IntelliSense work properly This question has answers that may be good or bad; the system has marked it active so that they can be reviewed. 2 Answers 2 From: https://code.visualstudio.com/docs/languages/cpp Below you can see that the MinGW C++ include path has been added to browse.path for Windows: { "name": "Win32...
Read more

Spring cloud config client Could not locate PropertySource

Image
Clash Royale CLAN TAG #URR8PPP Spring cloud config client Could not locate PropertySource My config server use natie file system works fine and the dev profile configured contextPath: /config spring: application: name: dcit-config profiles: active: native management: endpoints: web: exposure: include: info, health, metrics metrics: export: atlas: enabled: true --- spring: profiles: native application: name: dcit-config cloud: config: server: native: searchLocations: classpath:/config/ server: port: 2003 eureka: instance: prefer-ip-address: true lease-renewal-interval-in-seconds: 5 lease-expiration-duration-in-seconds: 20 client: serviceUrl: defaultZone: http://dcit:dcit@localhost:1023/eureka registry-fetch-interval-seconds: 10 --- spring: profiles: dev application: name: dcit-config cloud: config: server: git: uri: http://xxx/gi...
Read more

Regex - How to capture all iterations of a repeating pattern?

Image
Clash Royale CLAN TAG #URR8PPP Regex - How to capture all iterations of a repeating pattern? Take a look at this example, I want to capture not just the last iteration (which is 5), but also 2, 3 and 4. It says here: A repeated capturing group will only capture the last iteration. Put a capturing group around the repeated group to capture all iterations... but I don't know how to do this. Since I need this in C++, I was looking for a way to get all iterations of capturing group using some regex functions in C++, but I always end up with same groups which the website finds. How about instruction d((,d)*) ? (IMHO, this is meant in the cited text.) Though, this leaves still the task to separate the inner matches... – Scheff 17 mins ago instruction d((,d)*) Thou...
Read more