search

ribbybibby / ssl_exporter

Exports Prometheus metrics for TLS certificates
Apache License 2.0
525 stars 99 forks source link

Container has runAsNonRoot and image has non-numeric user (ssl), cannot verify user is non-root #102

Open xjulio opened 2 years ago

xjulio commented 2 years ago

When deploying in Kubernetes and setting runAsNonRoot in securityContext, the Kubernetes admission controller fails because cannot verify if the user is non-root.

Environment:

Kuberntes: v1.22.0
ssl-exporter image: 2.4.1

Deployment example gist:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ssl-exporter
  labels:
    name: ssl-exporter
spec:
  selector:
    matchLabels:
      name: ssl-exporter
  template:
    metadata:
      labels:
        name: ssl-exporter
    spec:
      containers:
        - name: ssl-exporter
          image: docker.io/ribbybibby/ssl-exporter:2.4.1
          ports:
            - containerPort: 9219
          securityContext:
            runAsNonRoot: true

Errors:

kubectl get po -l name=ssl-exporter
NAME                            READY   STATUS                       RESTARTS   AGE
ssl-exporter-7b544fd7d8-k9pnv   0/1     CreateContainerConfigError   0          5m14s

kubectl describe po ssl-exporter-7b544fd7d8-k9pnv

Events:
  Type     Reason          Age                From               Message
  ----     ------          ----               ----               -------
  Normal   Scheduled       31s                default-scheduler  Successfully assigned default/ssl-exporter-7b544fd7d8-k9pnv to node3
  Normal   SandboxChanged  29s                kubelet            Pod sandbox changed, it will be killed and re-created.
  Normal   Pulled          12s (x5 over 30s)  kubelet            Container image "docker.io/ribbybibby/ssl-exporter:2.4.1" already present on machine
  Warning  Failed          12s (x5 over 30s)  kubelet            Error: container has runAsNonRoot and image has non-numeric user (ssl), cannot verify user is non-root (pod: "ssl-exporter-7b544fd7d8-k9pnv_default(bac551ee-88ea-4a21-bd18-92afb1f6a663)", container: ssl-exporter)

Steps to reproduce:

  1. Apply k8s manifest

    kubectl apply -f https://gist.githubusercontent.com/xjulio/5c2f690b9e1304bf41dd0ce024dbf8c1/raw/68748b04f1d2a1988a4cfad9b8f32a598ef4c854/ssl-exporter-deploy.yaml

  2. List pods to check CreateContainerConfigError

    kubectl get po -l name=ssl-exporter

  3. Describe ssl-exporter pod from step 2.

    kubectl describe po ssl-exporter-XXXXXXXXX

Proposed solution

Removing non-numeric user(ssl) from Docker file.

FROM alpine:3.15 as build
RUN apk --update add ca-certificates

FROM scratch

COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY ssl_exporter /

USER 10001

EXPOSE 9219/tcp
ENTRYPOINT ["/ssl_exporter"]

There's no need for a named user, or having a passwd/group file, because the GO compiler generates the binary with execution permission 755 (execution to everyine) and ca-certificates.crt has permission 644 (read to everyone).

Test

A new docker image was created and deployed to docker hub.

docker.io/xjulio/ssl-exporter:2.4.1-numeric-userid
DIGEST:sha256:bd53b4d5ac73308a3c9ed47e896e752c2cab9bd58e88a258aef4113635c45dc9

Testing new image

Deploy using new image gist:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ssl-exporter
  labels:
    name: ssl-exporter
spec:
  selector:
    matchLabels:
      name: ssl-exporter
  template:
    metadata:
      labels:
        name: ssl-exporter
    spec:
      containers:
        - name: ssl-exporter
          image: docker.io/xjulio/ssl-exporter:2.4.1-numeric-userid
          ports:
            - containerPort: 9219
          securityContext:
            runAsNonRoot: true

Applying k8s manifest:

kubectl apply -f https://gist.githubusercontent.com/xjulio/e971fd4fed0a1c2351ed0f26f1f30dba/raw/5e2bf299e2d4709e6d47b3afe643819cd05d6e24/ssl-exporter-deploy.yaml

Checking pods:

kubectl get po -l name=ssl-exporter
NAME                            READY   STATUS    RESTARTS   AGE
ssl-exporter-85457876ff-mwqmc   1/1     Running   0          8s

kubectl describe po ssl-exporter-85457876ff-mwqmc
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  50s   default-scheduler  Successfully assigned default/ssl-exporter-85457876ff-mwqmc to node3
  Normal  Pulled     49s   kubelet            Container image "docker.io/xjulio/ssl-exporter:2.4.1-numeric-userid@sha256:bd53b4d5ac73308a3c9ed47e896e752c2cab9bd58e88a258aef4113635c45dc9" already present on machine
  Normal  Created    48s   kubelet            Created container ssl-exporter
  Normal  Started    48s   kubelet            Started container ssl-exporter
xjulio commented 2 years ago

Hi @ ribbybibby, I'll send a PR to fix this issue.