benfiola / minio-operator-ext

A Kubernetes operator that allows for declarative management of MinIO resources
13 stars 0 forks source link

Run as non-root by default #21

Closed nogweii closed 2 weeks ago

nogweii commented 1 month ago

I've done so in my PR (#20) but bringing it up separately so that it might be integrated into the Dockerfile - there is nothing that requires root privileges inside the container, right?

If so, might I recommend basing the final layer not on scratch but on gcr.io/distroless/static-debian12:nonroot instead?

benfiola commented 1 month ago

... there is nothing that requires root privileges inside the container, right?

None that I know of!

Did some quick testing, didn't see any issues with the non-root image. I do think it's a great idea to encourage non-root as default - so I'll put in a PR to update the docker image.

benfiola commented 4 weeks ago

As of docker.io/benfiola/minio-operator-ext:2.2.0 - we should be using a non-root image. Let me know if you run into any issues with it.

nogweii commented 3 weeks ago

As mentioned in the other thread, it looks like the latest / 2.2.0 image only has one layer, and does not include the operator binary itself.

benfiola commented 3 weeks ago

Yep! The image should be fixed as of version 2.2.1! :tada:

benfiola commented 2 weeks ago

i've been running this in my cluster for a few days and things look pretty good! thanks for the suggestion + PR!

am going to close this issue out, feel free to open new issues for any problems you run into.