Allow Kritis to run as non-root

[ba32107]

Hi!

I am experimenting with Kritis within my company. During the POC phase, I noticed that the Kritis validation webhook must run as root. When running as a non-privileged user, I got permission denied errors that were originating from somewhere around here: https://github.com/grafeas/kritis/blob/master/cmd/kritis/admission/main.go#L160

Unfortunately, I do not have the exact error message and stack trace handy as of now, but I can dig it up if it helps. I believe Kritis was unable to access the .kubeconfig directory.

Running as root is something we don't allow according to our policies. I managed to run the project by temporarily disabling this policy, but this is something we'd prefer not to do. Are there any plans to allow Kritis to run as non-root?

[nenaddedic]

Yes, please, if it's not too much trouble, then include the error message / stack trace.

[ba32107]

Sure thing - I will get back to you tomorrow with details. Thanks

[ba32107]

The error is:

1 main.go:132] starting background job: Error creating kubeConfig: Error loading config file "/root/.kube/config": open /root/.kube/config: permission denied

There is no stack trace, but I believe the error originates from somewhere around here.

This is with running version kritis-server:5e94b81b2d686303e6cd49653c80c36e290262cf.

Thanks

[ba32107]

Hi @nenaddedic, did you have any chance to have a look at this? I'd be interested to see if we can make this work somehow without running as root. Thanks.

[nenaddedic]

I have looked only a little bit, haven't tried to reproduce. What kind of cluster were you running kritis on? Was it minikube?

[ingvarm-gr]

This is a cluster running 1.14 on CoreOS, with assorted RBAC, pod-security policies, and OPA validation blocking "application namespaces" from running processes with root privilege as this poses a risk for pods to escape the docker containment.

[nenaddedic]

@ba32107 @ingvarm-gr have you had any luck getting this to work as non-root? I haven't had a chance to investigate unfortunately.

[ba32107]

Hi @nenaddedic, no unfortunately we haven't had a chance either. For now we are working on Grafeas, but planning to look at Kritis soon. I will update once I know more, but if you have a chance to look at this meanwhile, that would be a lot of help for us.

Thanks