search

chainguard-dev / apko

Build OCI images from APK packages directly without Dockerfile
https://apko.dev
Apache License 2.0
1.2k stars 122 forks source link

Favor `uid` over username in User directive. #129

Closed mattmoor closed 2 years ago

mattmoor commented 2 years ago

I notice that I can use either of these syntaxes:

  run-as: nonroot
  run-as: 65532

... and we in fact favor the former in our examples.

I believe that certain runtime security features in Kubernetes don't work properly with the string variant, but do work with the uid variant. I believe the reason is that if user is a uid, all you need is the config to evaluate policy, where if it is username then you have to fetch the image contents to access /etc/passwd to determine the uid, which in general means downloading arbitrary amounts of data.

If we can, then I'd suggest we bias towards doing the "right" thing regardless of input, and using the uid variant. Regardless, we should probably switch the images where we use this to get the uid result.

amouat commented 2 years ago

Just to clarify, the action here is just to update the examples, we don't want to change any behaviour or apko code?

mattmoor commented 2 years ago

Yeah, I think that's right.

mattmoor commented 2 years ago

I mean, we could make it always put in the UID for bonus points, which makes it harder to hold "wrong", but I don't feel strongly

kaniini commented 2 years ago

Seems like a nice enhancement for the examples, but we can do the UID mapping for strings too. Would be nice to get it into apko 0.4.