Following are some additional improvements that can be done to the dd-lib-python-init Dockerfile
During a discussion with our security team, I got to know about an improvement we can make to the UID value.
UID 1000 is used by all common linux distributions to the first non-root, non system user and this user can have enough privileges inside the host to be exploited by a container breakout having the same UID inside the container. Making this to be 10,000 instead should provide reasonable buffer for a no match.
Both the username and uid is valid in a Dockerfile according the Dockerfile specification. But in Kubernetes, when the username is used and runAsNonRoot is enabled in the Pod securityContext, container startup fails with the following error.
Error: container has runAsNonRoot and image has non-numeric user (datadog), cannot verify user is non-root
Changing the value in the USER instruction to the UID resolves this problem
Related issue - https://github.com/DataDog/dd-trace-py/issues/4476
Summary of problem
Following are some additional improvements that can be done to the
dd-lib-python-init
DockerfileReferences: https://docs.bridgecrew.io/docs/bc_k8s_37 https://hub.datree.io/built-in-rules/prevent-uid-conflicts
runAsNonRoot
is enabled in the Pod securityContext, container startup fails with the following error.Changing the value in the
USER
instruction to the UID resolves this problem