search

odpi / egeria-samples

various samples that can be useful either for learning or as initial starting points for working with Egeria
Apache License 2.0
12 stars 8 forks source link

vdc k8s deployments fail if cluster security enforces some runAsNonRoot policy #27

Closed planetf1 closed 3 years ago

planetf1 commented 4 years ago

User reported that the vdc helm chart fails on IBM Cloud Private (unknown version) with:

  Warning  Failed     80s (x8 over 2m48s)  kubelet, 9.30.141.18  Error: container has runAsNonRoot and image has non-numeric user (egeria), cannot verify user is non-root

One example of an issue is here -> https://github.com/helm/helm/issues/4818 & more info at https://developer.ibm.com/technologies/containers/articles/kubernetes-docker-cluster/

The current Dockerfile for egeria contains:

USER egeria:egeria

ie non-numeric.

Other images also to be checked

The latest k8s docs seem to confirm this is still the case: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - ie when the 'mustRunAsNonRoot' policy is enabled.

We will need to change to a non-numeric user.

This will affect both helm charts, so our lab environment also

planetf1 commented 4 years ago

Basics done for 1.8 Ranger, gaian - and testing vdc will target 1.11

planetf1 commented 3 years ago

Keep this in the base now as it's related to the creation of our images primarily. Will make changes in samples as needed

planetf1 commented 3 years ago

odpi/egeria#2790 will add more docs into the base (for now) on running our charts in openshift. The base images used in the lab chart will be addressed there.

moving this issue to the samples repo where we can add any extra info and code changes for vdc related content

planetf1 commented 3 years ago

Our remaining images (in base egeria) now use numeric ids, so closing (Note that atlas/ranger & other vdc specific images are out of scope)