pravega / zookeeper-operator

Kubernetes Operator for Zookeeper
Apache License 2.0
368 stars 207 forks source link

The pravega zookeeper docker image run as root by default #538

Open patrickdung opened 1 year ago

patrickdung commented 1 year ago

Description

This is the Dockerfile https://github.com/pravega/zookeeper-operator/blob/master/docker/Dockerfile

No user is created and it runs the docker as root (UID 0)

Importance

This is not a good security practice.

Location

https://github.com/pravega/zookeeper-operator/blob/master/docker/Dockerfile

Suggestions for an improvement

Create a dedicated user and specify it to run instead of root/UID 0.

janhoy commented 1 year ago

Filed a PR for the user change itself.

It would be nice to follow up this with the Operator adding a a securityContext.runAsNonRoot: true to the POD container, which would silence such policy warnings by default.

janhoy commented 1 year ago

Actually the base image of this image already creates the zookeeper user with UID=1000. So a workaround to run as non-root is to specify user 1000 in the helm chart:

pod:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000

EDIT: Note that you also need to supply fsGroup here so that the POD will have write access to the data volume. Also, if you apply this change on an existing cluster, you will need to delete the PVC for each zk pod as they are upgraded, else there will be permission errors.