chukka
commented
10 months ago Thanks for raising this , we are currently fixing this internally and will be able to release a patch in two weeks
Closed dschunack closed 7 months ago
chukka
commented
10 months ago Thanks for raising this , we are currently fixing this internally and will be able to release a patch in two weeks
Logeshwarsn
commented
9 months ago Update : We have fix ready and it will be include in the next patch 7.71.x
gjlam95
commented
9 months ago Update : We have fix ready and it will be include in the next patch 7.71.x
Hi developers, do note that the same issue is found in the latest xray chart as well. Lines of code affected here
runAsNonRoot is not set despite setting the flag in tpl filerunAsGroup is missing and causing the error shown in the original issuechukka
commented
9 months ago Update : This fix release has been delayed by atleast couple of weeks
rahulsadanandan
commented
7 months ago @gjlam95 The fix for the Xray will be implemented in version 3.90.x.
rahulsadanandan
commented
6 months ago Sorry for the delay. The Xray fix has been merged into version 3.91.x.
BUG REPORT (choose one):
Version of Helm and Kubernetes: latest version 7.71.3 release on EKS 1.28 with Kyverno. The following Policies are enforced.
Kyverno Policies Kyverno NonRootGroup
Which chart: latest version 7.71.3 release
Which product license (Enterprise/Pro/oss): Enterprise
JFrog support reference (if already raised with support team): we will add it later
What happened: It's not possible at the moment run artifactory on EKS with Kyverno Policies that doesn't allow it to run PODs with UID and GID = 0. The problem is the following change, that was implemented to fix issues on OpenShift, but it blocks us to install it on EKS. It's not possible to set the GID and fsGroup, due to this change. It make no sense to enable this only for OpenShift. The Container is able to run without a UID and GID = 0, but why is this not the standard?
As you know, we all want to keep our environment secure and you have the possibility to run Artifactroy by default with a User UID/GID and not with the Root UID/GID.
Our proposal is to run Artifactory by default with a User UID/GID and to revert the following Changes and to set the SecurityContext by default like this PR #1744 .
This helps all they want to keep there k8s secure and to Fulfill the PSS Policies for K8S Solutions and not only on OpenShift.
What you expected to happen: Implement a way to run Artifactory Secure on all K8S Solutions like EKS/AKS/GKE and OpenShift.
How to reproduce it (as minimally and precisely as possible): Use EKS with Kyverno or any solution that fulfills the PSS and try to install Artifactory.
At the moment it will fail, it's not possible to set the correct GID, it's blocked by the following Code