search

nabsul / k8s-ecr-login-renew

Renews Docker login credentials for an AWS ECR container registry.
MIT License
205 stars 49 forks source link

Use a non-root user in the Docker image #30

Closed PawelLipski closed 2 years ago

PawelLipski commented 2 years ago

For the sake of security! better not to run things as root in the cluster (esp. in a long-running CronJob, as opposed to e.g. one-off Helm hooks)

nabsul commented 2 years ago

I don't think this tool has root access to the cluster... It runs as root in an isolated container. And that container has a service account assigned to it that only grants it permission to read the AWS secret and write to the docker secret.

I'm not familiar with Helm hooks or how they solve this concern.

PawelLipski commented 2 years ago

I don't think this tool has root access to the cluster... It runs as root in an isolated container

It doesn't have root access to the underlying nodes, in principle no container should have of course :) but the problem is what happens in case a break-away happens due to vulnerability! it's better to have a non-root user running to minimize the scope of what the attacker can do. This is a common security practice... certain k8s implementations even require usage of non-root containers only, see https://docs.bitnami.com/tutorials/running-non-root-containers-on-openshift for details

I'm not familiar with Helm hooks or how they solve this concern.

Helm hooks don't solve this concern... they're just presumably less affected then e.g. Deployments or CronJobs as they only run for a limited amount of time, thus reducing the surface for potential attack

nabsul commented 2 years ago

Cool, I'll read up about it. At first glance this looks like an easy change to make in the Dockerfile that won't affect anything else.

nabsul commented 2 years ago

Done, thanks for tip about this. I'll eventually make this a practice in all the containers I build.

PawelLipski commented 2 years ago

Hmmm checking now... what's the user/group id actually? 🤔 still seeing root in the image

$ docker run nabsul/k8s-ecr-login-renew:v1.7 id
Unable to find image 'nabsul/k8s-ecr-login-renew:v1.7' locally
v1.7: Pulling from nabsul/k8s-ecr-login-renew
2408cc74d12b: Pull complete 
317899fe5b6a: Pull complete 
Digest: sha256:5548e237535902013b8febe85f0ce05f7169613aa7b9f98360acb96d551a7adb
Status: Downloaded newer image for nabsul/k8s-ecr-login-renew:v1.7
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
nabsul commented 2 years ago

LoL. Thanks for double checking. I thought I merged the PR but I didn't :-D https://github.com/nabsul/k8s-ecr-login-renew/pull/32/files

Actually, could you take a look at this PR? Is anything else needed?

nabsul commented 2 years ago

Ok, I think this is now taken care of, and even better than the original implementation. Thanks again!

(Build is in progress and should finish in about 20 minutes and auto-publish to docker hub)

https://github.com/nabsul/k8s-ecr-login-renew/actions/runs/2449819810