Open patrickdung opened 1 year ago
Filed a PR for the user change itself.
It would be nice to follow up this with the Operator adding a a securityContext.runAsNonRoot: true
to the POD container, which would silence such policy warnings by default.
Actually the base image of this image already creates the zookeeper
user with UID=1000. So a workaround to run as non-root is to specify user 1000 in the helm chart:
pod:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
EDIT: Note that you also need to supply fsGroup
here so that the POD will have write access to the data volume. Also, if you apply this change on an existing cluster, you will need to delete the PVC for each zk pod as they are upgraded, else there will be permission errors.
Description
This is the Dockerfile https://github.com/pravega/zookeeper-operator/blob/master/docker/Dockerfile
No user is created and it runs the docker as root (UID 0)
Importance
This is not a good security practice.
Location
https://github.com/pravega/zookeeper-operator/blob/master/docker/Dockerfile
Suggestions for an improvement
Create a dedicated user and specify it to run instead of root/UID 0.