PureStorage-OpenConnect / pso-explorer

PSO Explorer Helm Chart
Apache License 2.0
12 stars 0 forks source link

run as non-root user #18

Closed aboje closed 4 years ago

aboje commented 4 years ago

Can you set an option to run the pods as non-root users? If we implement the podsecuritypolicy runAsUser rule "MustRunAsNonRoot", the pods won't start.

Error: container has runAsNonRoot and image will run as root

rdeenik commented 4 years ago

@aboje I was able to reproduce this. The issue is that the redis:alpine container runs as root by default (so not the PSO eXplorer container), since no USER parameter is specified in the Dockerfile. I've just created a new branch non-root where I've added a securityContext: with runAsUser: 1001 for the Redis container. Can you test this and let me know if that works for you? By specifying the user ID in the deployment template we basically force the Redis container to run as non-root (which I know is suppprted, since it runs as a non-root user in OCP as well).

aboje commented 4 years ago

I ran the following but I don't see the updates to the deployment. I do see them in your deployment template online, however, so I'm guessing I'm not upgrading from the non-root branch correctly. helm repo add pso-explorer 'https://raw.githubusercontent.com/PureStorage-OpenConnect/pso-explorer/non-root' helm upgrade pso-explorer -f pso-explorer.values -n pso-explorer pso-explorer/pso-explorer

rdeenik commented 4 years ago

@aboje I don't think that will work indeed, since Helm doesn't allow you to add a GitHub branch as repo. You'd have to clone the repo and install from the cloned repo:

git clone -b non-root https://github.com/PureStorage-OpenConnect/pso-explorer.git
cd pso-explorer
helm upgrade pso-explorer -f pso-explorer.values -n pso-explorer .

By specifying . instead of pso-explorer/pso-explorer you're installing from the local cloned repo.

aboje commented 4 years ago

Got it, thank you. I installed as you wrote. Works great. pso-explorer starts successfully and it using my restricted psp policy. I can still get into the UI without problems. Thanks for the fast response.

sdodsley commented 4 years ago

@aboje are you willing to share the psp policy?

rdeenik commented 4 years ago

Perfect, great to hear it works. I'll make sure to merge this in the new release!