search

cloudfoundry / eirini

Pluggable container orchestration for Cloud Foundry, and a Kubernetes backend
Apache License 2.0
115 stars 30 forks source link

Docker images that do not specify a numeric USER fail with CreateContainerConfigError #120

Closed Birdrock closed 3 years ago

Birdrock commented 3 years ago

Description

Docker staging does not inspect images for a USER directive. When a Docker image does not specify a USER or specifies a USER as a string, the desired LRP will have a CreateContainerConfigError with events showing Error: container has runAsNonRoot and image will run as root or Error: container has runAsNonRoot and image has non-numeric user (<some-user-string>), cannot verify user is non-root.

This is because the PodSecurityContext specifies RunAsNonRoot. Images that don't specify a USER will try to default to UID 0 (root). Images that specify a USER string don't meet the requirements for RunAsNonRoot - Kubernetes requires a non-zero numeric user. (https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups)

Steps to reproduce

  1. Create a cf-for-k8s cluster.
  2. Auth/login with the CF CLI
  3. cf push hello-ruby -o awittrock/helloworld-ruby

What was expected to happen

Container starts successfully.

What actually happened

Error: container has runAsNonRoot and image will run as root

Suggested fix (optional)

Docker staging inspects image and adds user metadata to payload. cloud_controller_ng appends this data to the desired LRP request for use in the PodSecurityContext. The PodSecurityContext respects the user provided by cloud_controller_ng if it is specified as a numeric user. The PodSecurityContext provides a default value for requests that do not specify a user (empty string) or provide a non-numeric user.

Additional information (optional)

We've done an exploration and test drove the implementation. We will submit a PR once we have done the necessary work on cloud_controller_ng.

cf-gitbot commented 3 years ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/175749977

The labels on this github issue will be updated when the story is started.

herrjulz commented 3 years ago

Hi @Birdrock we are closing this issue due to the investigations and findings part of https://github.com/cloudfoundry-incubator/eirini/pull/121 -> referring to @gcapizzi his comment https://github.com/cloudfoundry-incubator/eirini/pull/121#issuecomment-737878812