search

confluentinc / cp-docker-images

[DEPRECATED] Docker images for Confluent Platform.
Apache License 2.0
1.14k stars 705 forks source link

Running the processes in cp-kafka-rest pod with non root user account #903

Closed brshravan-tech closed 2 years ago

brshravan-tech commented 2 years ago

Hi Team,

I am using the Docker image from "confluentinc/cp-kafka-rest:5.2.3" and my deployment looks something like below. I can see variables to change settings like BOOTSTRAP Server, Rest Client user name, timeouts etc... but couldnt find out a way to change the username. When I exec into the pod that gets deployed, I see that its running with root account and I want to change this and use some other user account. Any suggestions on how this can be done?

apiVersion: v1
kind: Service
metadata:
  name: kafka-rest-service
spec:
  ports:
  - port: 8082
    protocol: TCP
  selector:
    app: kafka-rest
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: kafka-rest
  name: kafka-rest
spec:
  replicas: 1
  selector:
    matchLabels:
      app: kafka-rest
  template:
    metadata:
      labels:
        app: kafka-rest
    spec:
      containers:
      - env:
        - name: KAFKA_REST_BOOTSTRAP_SERVERS
          value: <KAFKA_REST_BOOTSTRAP_SERVERS>
        - name: KAFKA_REST_HOST_NAME
          value: <KAFKA_REST_HOST_NAME>
        - name: KAFKA_REST_GROUP_ID
          value: <KAFKA_REST_GROUP_ID>
        - name: KAFKA_REST_REQUEST_TIMEOUT_MS
          value: <KAFKA_REST_REQUEST_TIMEOUT_MS>
        - name: KAFKA_REST_CLIENT_SECURITY_PROTOCOL
          value: <KAFKA_REST_CLIENT_SECURITY_PROTOCOL>
        - name: KAFKA_REST_CLIENT_SASL_MECHANISM
          value: <KAFKA_REST_CLIENT_SASL_MECHANISM>
        - name: REST_CLIENT_USERNAME
          value: <REST_CLIENT_USERNAME>
        - name: REST_CLIENT_CONNECTION_STRING
          value: <REST_CLIENT_CONNECTION_STRING>
        - name: KAFKA_REST_CLIENT_SASL_JAAS_CONFIG
          value: org.apache.kafka.common.security.plain.PlainLoginModule required
            username=\"$(REST_CLIENT_USERNAME)\" password=\"$(REST_CLIENT_CONNECTION_STRING)\";
        - name: KAFKA_REST_LISTENERS
          value: <KAFKA_REST_LISTENERS>
        image: confluentinc/cp-kafka-rest:5.2.3
        name: kafka-rest
        ports:
        - containerPort: 8082

Thanks

brshravan-tech commented 2 years ago

Noticed that, in newer version of cp-kafka-rest (Ex v 6.1.2), processes are running with "appuser" user account. So we are good with this. I am closing this ticket.

Thanks