Use numeric USER in Dockerfile for PSP compatibility

cruise-automation / k-rail

Kubernetes security tool for policy enforcement

Apache License 2.0

443 stars 54 forks source link

Use numeric USER in Dockerfile for PSP compatibility #19

Closed funkypenguin closed 5 years ago

funkypenguin commented 5 years ago

Ironically, k-rail won't run in an environment where the default PodSecurityPolicies (PSP) enforce RunAsNonRoot, because the USER value in the Dockerfile is non-numeric:

  Warning  Failed     8s (x4 over 25s)   kubelet, wn3.kube-cluster.local  Error: container has runAsNonRoot and image has non-numeric user (nobody), cannot verify user is non-root

This PR simply changes the USER value to the UID of the "nobody" user, and makes PSP happy again :)

dustin-decker commented 5 years ago

Good find, I didn't know about that limitation. I'll cut a release soon to include this. Thanks!