Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Container has runAsNonRoot and image has non-numeric user (ssl), cannot verify user is non-root #102

Open
xjulio opened this issue Jun 3, 2022 · 1 comment · May be fixed by #103
Open

Container has runAsNonRoot and image has non-numeric user (ssl), cannot verify user is non-root #102

xjulio opened this issue Jun 3, 2022 · 1 comment · May be fixed by #103

Comments

@xjulio
Copy link

xjulio commented Jun 3, 2022

When deploying in Kubernetes and setting runAsNonRoot in securityContext, the Kubernetes admission controller fails because cannot verify if the user is non-root.

Environment:

Kuberntes: v1.22.0
ssl-exporter image: 2.4.1

Deployment example gist:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ssl-exporter
  labels:
    name: ssl-exporter
spec:
  selector:
    matchLabels:
      name: ssl-exporter
  template:
    metadata:
      labels:
        name: ssl-exporter
    spec:
      containers:
        - name: ssl-exporter
          image: docker.io/ribbybibby/ssl-exporter:2.4.1
          ports:
            - containerPort: 9219
          securityContext:
            runAsNonRoot: true

Errors:

kubectl get po -l name=ssl-exporter
NAME                            READY   STATUS                       RESTARTS   AGE
ssl-exporter-7b544fd7d8-k9pnv   0/1     CreateContainerConfigError   0          5m14s

kubectl describe po ssl-exporter-7b544fd7d8-k9pnv

Events:
  Type     Reason          Age                From               Message
  ----     ------          ----               ----               -------
  Normal   Scheduled       31s                default-scheduler  Successfully assigned default/ssl-exporter-7b544fd7d8-k9pnv to node3
  Normal   SandboxChanged  29s                kubelet            Pod sandbox changed, it will be killed and re-created.
  Normal   Pulled          12s (x5 over 30s)  kubelet            Container image "docker.io/ribbybibby/ssl-exporter:2.4.1" already present on machine
  Warning  Failed          12s (x5 over 30s)  kubelet            Error: container has runAsNonRoot and image has non-numeric user (ssl), cannot verify user is non-root (pod: "ssl-exporter-7b544fd7d8-k9pnv_default(bac551ee-88ea-4a21-bd18-92afb1f6a663)", container: ssl-exporter)

Steps to reproduce:

  1. Apply k8s manifest
kubectl apply -f https://gist.githubusercontent.com/xjulio/5c2f690b9e1304bf41dd0ce024dbf8c1/raw/68748b04f1d2a1988a4cfad9b8f32a598ef4c854/ssl-exporter-deploy.yaml
  1. List pods to check CreateContainerConfigError
kubectl get po -l name=ssl-exporter
  1. Describe ssl-exporter pod from step 2.
kubectl describe po ssl-exporter-XXXXXXXXX

Proposed solution

Removing non-numeric user(ssl) from Docker file.

FROM alpine:3.15 as build
RUN apk --update add ca-certificates

FROM scratch

COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY ssl_exporter /

USER 10001

EXPOSE 9219/tcp
ENTRYPOINT ["/ssl_exporter"]

There's no need for a named user, or having a passwd/group file, because the GO compiler generates the binary with execution permission 755 (execution to everyine) and ca-certificates.crt has permission 644 (read to everyone).

Test

A new docker image was created and deployed to docker hub.

docker.io/xjulio/ssl-exporter:2.4.1-numeric-userid
DIGEST:sha256:bd53b4d5ac73308a3c9ed47e896e752c2cab9bd58e88a258aef4113635c45dc9

Testing new image

Deploy using new image gist:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ssl-exporter
  labels:
    name: ssl-exporter
spec:
  selector:
    matchLabels:
      name: ssl-exporter
  template:
    metadata:
      labels:
        name: ssl-exporter
    spec:
      containers:
        - name: ssl-exporter
          image: docker.io/xjulio/ssl-exporter:2.4.1-numeric-userid
          ports:
            - containerPort: 9219
          securityContext:
            runAsNonRoot: true

Applying k8s manifest:

kubectl apply -f https://gist.githubusercontent.com/xjulio/e971fd4fed0a1c2351ed0f26f1f30dba/raw/5e2bf299e2d4709e6d47b3afe643819cd05d6e24/ssl-exporter-deploy.yaml

Checking pods:

kubectl get po -l name=ssl-exporter
NAME                            READY   STATUS    RESTARTS   AGE
ssl-exporter-85457876ff-mwqmc   1/1     Running   0          8s


kubectl describe po ssl-exporter-85457876ff-mwqmc
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  50s   default-scheduler  Successfully assigned default/ssl-exporter-85457876ff-mwqmc to node3
  Normal  Pulled     49s   kubelet            Container image "docker.io/xjulio/ssl-exporter:2.4.1-numeric-userid@sha256:bd53b4d5ac73308a3c9ed47e896e752c2cab9bd58e88a258aef4113635c45dc9" already present on machine
  Normal  Created    48s   kubelet            Created container ssl-exporter
  Normal  Started    48s   kubelet            Started container ssl-exporter
@xjulio
Copy link
Author

xjulio commented Jun 3, 2022

Hi @ ribbybibby, I'll send a PR to fix this issue.

xjulio added a commit to xjulio/ssl_exporter that referenced this issue Jun 3, 2022
@xjulio
Set numeric user to comply runAsNonRoot k8s policy
28c30df 
When in k8s, container has `runAsNonRoot` policy and image has non-numeric user (nobody),
then the deployment will fail as it cannot verify user is non-root.

Fixed ribbybibby#102

Signed-off-by: Julio Damasceno <[email protected]>
@xjulio xjulio linked a pull request Jun 3, 2022 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set numeric user to comply runAsNonRoot k8s policy xjulio/ssl_exporter
1 participant
@xjulio