Increase the UID and specify the UID value in the USER instruction in the `dd-lib-python-init` Dockerfile - Githubissues

DataDog / dd-trace-py

Datadog Python APM Client

https://ddtrace.readthedocs.io/

Other

546 stars 411 forks source link

Increase the UID and specify the UID value in the USER instruction in the `dd-lib-python-init` Dockerfile #4513

Closed nilushancosta closed 1 year ago

nilushancosta commented 1 year ago

Related issue - https://github.com/DataDog/dd-trace-py/issues/4476

Summary of problem

Following are some additional improvements that can be done to the dd-lib-python-init Dockerfile

During a discussion with our security team, I got to know about an improvement we can make to the UID value. UID 1000 is used by all common linux distributions to the first non-root, non system user and this user can have enough privileges inside the host to be exploited by a container breakout having the same UID inside the container. Making this to be 10,000 instead should provide reasonable buffer for a no match.

References: https://docs.bridgecrew.io/docs/bc_k8s_37 https://hub.datree.io/built-in-rules/prevent-uid-conflicts

Both the username and uid is valid in a Dockerfile according the Dockerfile specification. But in Kubernetes, when the username is used and runAsNonRoot is enabled in the Pod securityContext, container startup fails with the following error.
```
Error: container has runAsNonRoot and image has non-numeric user (datadog), cannot verify user is non-root
```
Changing the value in the USER instruction to the UID resolves this problem

Kyle-Verhoog commented 1 year ago

thanks for the info @nilushancosta, taking a look at your PR 🙂