Closed PawelLipski closed 2 years ago
I don't think this tool has root access to the cluster... It runs as root in an isolated container. And that container has a service account assigned to it that only grants it permission to read the AWS secret and write to the docker secret.
I'm not familiar with Helm hooks or how they solve this concern.
I don't think this tool has root access to the cluster... It runs as root in an isolated container
It doesn't have root access to the underlying nodes, in principle no container should have of course :) but the problem is what happens in case a break-away happens due to vulnerability! it's better to have a non-root user running to minimize the scope of what the attacker can do. This is a common security practice... certain k8s implementations even require usage of non-root containers only, see https://docs.bitnami.com/tutorials/running-non-root-containers-on-openshift for details
I'm not familiar with Helm hooks or how they solve this concern.
Helm hooks don't solve this concern... they're just presumably less affected then e.g. Deployments or CronJobs as they only run for a limited amount of time, thus reducing the surface for potential attack
Cool, I'll read up about it. At first glance this looks like an easy change to make in the Dockerfile that won't affect anything else.
Done, thanks for tip about this. I'll eventually make this a practice in all the containers I build.
Hmmm checking now... what's the user/group id actually? 🤔 still seeing root
in the image
$ docker run nabsul/k8s-ecr-login-renew:v1.7 id
Unable to find image 'nabsul/k8s-ecr-login-renew:v1.7' locally
v1.7: Pulling from nabsul/k8s-ecr-login-renew
2408cc74d12b: Pull complete
317899fe5b6a: Pull complete
Digest: sha256:5548e237535902013b8febe85f0ce05f7169613aa7b9f98360acb96d551a7adb
Status: Downloaded newer image for nabsul/k8s-ecr-login-renew:v1.7
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
LoL. Thanks for double checking. I thought I merged the PR but I didn't :-D https://github.com/nabsul/k8s-ecr-login-renew/pull/32/files
Actually, could you take a look at this PR? Is anything else needed?
Ok, I think this is now taken care of, and even better than the original implementation. Thanks again!
(Build is in progress and should finish in about 20 minutes and auto-publish to docker hub)
https://github.com/nabsul/k8s-ecr-login-renew/actions/runs/2449819810
For the sake of security! better not to run things as root in the cluster (esp. in a long-running CronJob, as opposed to e.g. one-off Helm hooks)