PettitWesley
commented
2 years ago We choose to use Amazon Linux as our base image because Amazon maintains and patches Amazon Linux and that makes it easy for this distro to stay up to date and be easily supported by Amazon Support/engineers.
Our understanding is that making Fluent Bit UID 0/root inside the container is considered to be safe by many customers. You can restrict what the container can access and do using normal container controls. In addition, some use cases require the Fluent Bit process to be UID 0. For example, if you are using the fluentd docker log driver with a unix socket, and Docker is running as UID 0, then any process that needs to read from the socket must also be UID 0. This is because unix sockets use file write permissions IIRC, which means that to read from a socket created by Docker, you need to be the same user ID or in the same group ID.
We are taking this as a feature request to enable running AWS for Fluent Bit as non-UID 0/root within the container as an option.
ed4wg
oridool
Describe the question/issue
Our image scanning tool reports about potential risk with this image. It appears that it is running with root user. Plus, it also uses 'hostPath' in the DaemonSet configuration. Both things together are considered as a high risk. Can the image be built with another non-privileged user? Or even better, build it from distroless image ?
Configuration
DaemonSet configuration according to the AWS docs for Container Insights: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html
yaml: kubectl apply -f https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/latest/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/fluent-bit/fluent-bit.yaml
Fluent Bit Version Info
aws-for-fluent-bit:2.28.0
Steps to reproduce issue
Related Issues