Closed aboje closed 4 years ago
@aboje I was able to reproduce this. The issue is that the redis:alpine
container runs as root by default (so not the PSO eXplorer container), since no USER parameter is specified in the Dockerfile. I've just created a new branch non-root
where I've added a securityContext:
with runAsUser: 1001
for the Redis container. Can you test this and let me know if that works for you?
By specifying the user ID in the deployment template we basically force the Redis container to run as non-root (which I know is suppprted, since it runs as a non-root user in OCP as well).
I ran the following but I don't see the updates to the deployment. I do see them in your deployment template online, however, so I'm guessing I'm not upgrading from the non-root branch correctly. helm repo add pso-explorer 'https://raw.githubusercontent.com/PureStorage-OpenConnect/pso-explorer/non-root' helm upgrade pso-explorer -f pso-explorer.values -n pso-explorer pso-explorer/pso-explorer
@aboje I don't think that will work indeed, since Helm doesn't allow you to add a GitHub branch as repo. You'd have to clone the repo and install from the cloned repo:
git clone -b non-root https://github.com/PureStorage-OpenConnect/pso-explorer.git
cd pso-explorer
helm upgrade pso-explorer -f pso-explorer.values -n pso-explorer .
By specifying .
instead of pso-explorer/pso-explorer
you're installing from the local cloned repo.
Got it, thank you. I installed as you wrote. Works great. pso-explorer starts successfully and it using my restricted psp policy. I can still get into the UI without problems. Thanks for the fast response.
@aboje are you willing to share the psp policy?
Perfect, great to hear it works. I'll make sure to merge this in the new release!
Can you set an option to run the pods as non-root users? If we implement the podsecuritypolicy runAsUser rule "MustRunAsNonRoot", the pods won't start.
Error: container has runAsNonRoot and image will run as root