fix: Add non-root user into KubeArmor container(#1401) #1834
Conversation
Signed-off-by: Yash Patel <[email protected]>
|
@rksharma95 can you review the pr |
There was a problem hiding this comment.
@yp969803 Can you please also update the helm chart for this?
As of now, I'm not sure if this will work or not. Last time, I checked with non-root user the controller was failing. Having said that, we have refactored the controller a lot so please let me know if you've already verified the changes at runtime.
EDIT:
Also, I think it would be great if we have something like this uid=65532(nonroot) gid=65532(nonroot) groups=65532(nonroot) (not a blocker for this PR and can be done as a follow up)
| RunAsUser: ptr.To(int64(1000)), | ||
| RunAsGroup: ptr.To(int64(1000)), |
There was a problem hiding this comment.
Let's avoid this and change the Dockerfile instead to use non root user
There was a problem hiding this comment.
Dockerfile already have configuration to use non-root user
There was a problem hiding this comment.
only for ubi based image not for alpine one.
PTAL here
Line 43 in 6cd782f
|
Please check with a containerd environment locally if it works or not. |
|
Please fill the PR template completely. |
|
@yp969803 one more point i would like to add is, make sure you first validate if non-root user works with apparmor enforcer. |
Signed-off-by: Yash Patel [email protected]
Purpose of PR?:
Fixes #1401
Does this PR introduce a breaking change?
If the changes in this PR are manually verified, list down the scenarios covered::
Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs
Checklist:
<type>(<scope>): <subject>