search

deepfence / ThreatMapper

Open Source Cloud Native Application Protection Platform (CNAPP)
https://deepfence.io
Apache License 2.0
4.79k stars 578 forks source link

Run Scanner Agent In Rootless Mode #2017

Open dmdhrumilmistry opened 6 months ago

dmdhrumilmistry commented 6 months ago

Additional context To able to run scanner agent docker containers in rootless mode.

Is your feature request related to a problem? Please describe. Some organizations prefer running docker in rootless mode to enhance container security posture for their current infra. Host Docker Agent doesn't seem to work properly when docker is running in rootless mode.

Describe the solution you'd like

Describe alternatives you've considered

Components/Services

Additional context

noboruma commented 6 months ago

@dmdhrumilmistry thanks for reporting this issue. The agent needs root permission to access some system information, hence we never looked into rootless mode. If we do that, we might lose access to useful information and thus return partial information to the console, like connectivity information and some file access (Meaning scanner might not be accessing the full file system). Would such degradation be acceptable in your workflow?

dmdhrumilmistry commented 6 months ago

@dmdhrumilmistry thanks for reporting this issue. The agent needs root permission to access some system information, hence we never looked into rootless mode. If we do that, we might lose access to useful information and thus return partial information to the console, like connectivity information and some file access (Meaning scanner might not be accessing the full file system). Would such degradation be acceptable in your workflow?

@noboruma thanks for the clarity on the issue. We would like to stick to rootless mode for now since it avoids several security risks. Would it be possible to run agent without using docker with root permissions?