You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The dockerfile does not specifiy a user. From the documentation:
When the user doesn't have a primary group then the image (or the next instructions) will be run with the root group.
We can also see from this blogpost from Docker that it is a best practice to run as non root user.
I have tried to do it by adding
spec:
securityContext:
runAsNonRoot: true
to my gubernator pod.
You can see the complete manifest here.
---
apiVersion: v1kind: ServiceAccountmetadata:
name: gubernator
---
apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:
name: get-endpointsrules:
- apiGroups:
- ""resources:
- endpointsverbs:
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:
name: get-endpointsroleRef:
apiGroup: rbac.authorization.k8s.iokind: Rolename: get-endpointssubjects:
- kind: ServiceAccountname: gubernator
---
apiVersion: v1kind: Podmetadata:
name: gubernatorlabels:
app: gubernatorspec:
securityContext:
runAsNonRoot: trueserviceAccountName: gubernatorcontainers:
- image: ghcr.io/gubernator-io/gubernator:latestimagePullPolicy: IfNotPresentports:
- name: grpc-portcontainerPort: 81
- name: http-portcontainerPort: 80name: gubernatorenv:
- name: GUBER_K8S_NAMESPACEvalueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: GUBER_K8S_POD_IPvalueFrom:
fieldRef:
fieldPath: status.podIP# Must set the GRPC and HTTP addresses, as gubernator# defaults to listening on localhost only
- name: GUBER_GRPC_ADDRESSvalue: 0.0.0.0:81
- name: GUBER_HTTP_ADDRESSvalue: 0.0.0.0:80# Use the k8s API for peer discovery
- name: GUBER_PEER_DISCOVERY_TYPEvalue: "k8s"# This should match the port number GRPC is listening on# as defined by `containerPort`
- name: GUBER_K8S_POD_PORTvalue: "81"# The selector used when listing endpoints. This selector# should only select gubernator peers.
- name: GUBER_K8S_ENDPOINTS_SELECTORvalue: "app=gubernator"# Gubernator can watch 'endpoints' for changes to the peers# or it can watch 'pods' (Defaults to 'endpoints')# - name: GUBER_K8S_WATCH_MECHANISM# value: "endpoints"# Enable debug for diagnosing issues
- name: GUBER_DEBUGvalue: "true"# Defines the max age of a client connection# Default is infinity# - name: GUBER_GRPC_MAX_CONN_AGE_SEC# value: "30"restartPolicy: Always
---
apiVersion: v1kind: Servicemetadata:
name: gubernatorlabels:
app: gubernatorspec:
type: LoadBalancerports:
- targetPort: 80port: 80selector:
app: gubernator
This does not work. It fails with:
Error: container has runAsNonRoot and image will run as root (pod: "gubernator-794fb7b76f-6vntp_default(8e4c444e-68ec-4800-9dd5-668a593a7b65)", container: gubernator)
To run as non root user, it would need to change:
Create a non root user in the Dockerfile. This would be ideally done in the build phase, since scratch image does not have the commands to do this. Then switch to the new user in the next phase.
I think the defaults would have to change since they use 0.0.0.0:80 and 0.0.0.0:81, which seems to be by default ports for root users. I could not find documentation on this, but I have tried running it like this and it did not work.
Here is an example script to test these changes in a local K8s cluster.
# delete local cluster if exists
kind delete cluster
# expose load balancer
cloud-provider-kind > cloud-provider-kind.log 2>&1&
kind create cluster
docker build -t custom-image .
kind load docker-image custom-image:latest
# ensure gubernator pod is using image: custom-image:latest
kubectl apply -f k8s-deployment.yaml
# wait until gubernator is ready
kubectl wait --for=jsonpath='{.status.loadBalancer.ingress}' service/gubernator
kubectl wait --for=condition=Ready pod/gubernator --timeout=5m
# check the pod and service
kubectl get all
# make a request
IP=$(kubectl get service/gubernator -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')
ENDPOINT="http://$IP:80/v1/GetRateLimits"echo"ENDPOINT IS $ENDPOINT"
curl $ENDPOINT \
--header 'Content-Type: application/json' \
--data '{ "requests": [ { "name": "requests_per_sec", "uniqueKey": "account:12345", "hits": "1", "limit": "10", "duration": "1000" } ]}'
The dockerfile does not specifiy a user. From the documentation:
We can also see from this blogpost from Docker that it is a best practice to run as non root user.
I have tried to do it by adding
to my gubernator pod.
You can see the complete manifest here.
This does not work. It fails with:
To run as non root user, it would need to change:
scratch
image does not have the commands to do this. Then switch to the new user in the next phase.0.0.0.0:80
and0.0.0.0:81
, which seems to be by default ports for root users. I could not find documentation on this, but I have tried running it like this and it did not work.Here is an example script to test these changes in a local K8s cluster.
PR: #28
The text was updated successfully, but these errors were encountered: