Container has runAsNonRoot and image has non-numeric user (ssl), cannot verify user is non-root #102
Description
When deploying in Kubernetes and setting runAsNonRoot in securityContext, the Kubernetes admission controller fails because cannot verify if the user is non-root.
Environment:
Kuberntes: v1.22.0
ssl-exporter image: 2.4.1
Deployment example gist:
apiVersion: apps/v1
kind: Deployment
metadata:
name: ssl-exporter
labels:
name: ssl-exporter
spec:
selector:
matchLabels:
name: ssl-exporter
template:
metadata:
labels:
name: ssl-exporter
spec:
containers:
- name: ssl-exporter
image: docker.io/ribbybibby/ssl-exporter:2.4.1
ports:
- containerPort: 9219
securityContext:
runAsNonRoot: trueErrors:
kubectl get po -l name=ssl-exporter
NAME READY STATUS RESTARTS AGE
ssl-exporter-7b544fd7d8-k9pnv 0/1 CreateContainerConfigError 0 5m14s
kubectl describe po ssl-exporter-7b544fd7d8-k9pnv
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 31s default-scheduler Successfully assigned default/ssl-exporter-7b544fd7d8-k9pnv to node3
Normal SandboxChanged 29s kubelet Pod sandbox changed, it will be killed and re-created.
Normal Pulled 12s (x5 over 30s) kubelet Container image "docker.io/ribbybibby/ssl-exporter:2.4.1" already present on machine
Warning Failed 12s (x5 over 30s) kubelet Error: container has runAsNonRoot and image has non-numeric user (ssl), cannot verify user is non-root (pod: "ssl-exporter-7b544fd7d8-k9pnv_default(bac551ee-88ea-4a21-bd18-92afb1f6a663)", container: ssl-exporter)
Steps to reproduce:
- Apply k8s manifest
kubectl apply -f https://gist.githubusercontent.com/xjulio/5c2f690b9e1304bf41dd0ce024dbf8c1/raw/68748b04f1d2a1988a4cfad9b8f32a598ef4c854/ssl-exporter-deploy.yaml- List pods to check
CreateContainerConfigError
kubectl get po -l name=ssl-exporter- Describe ssl-exporter pod from step 2.
kubectl describe po ssl-exporter-XXXXXXXXXProposed solution
Removing non-numeric user(ssl) from Docker file.
FROM alpine:3.15 as build
RUN apk --update add ca-certificates
FROM scratch
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY ssl_exporter /
USER 10001
EXPOSE 9219/tcp
ENTRYPOINT ["/ssl_exporter"]
There's no need for a named user, or having a passwd/group file, because the GO compiler generates the binary with execution permission 755 (execution to everyine) and ca-certificates.crt has permission 644 (read to everyone).
Test
A new docker image was created and deployed to docker hub.
docker.io/xjulio/ssl-exporter:2.4.1-numeric-userid
DIGEST:sha256:bd53b4d5ac73308a3c9ed47e896e752c2cab9bd58e88a258aef4113635c45dc9
Testing new image
Deploy using new image gist:
apiVersion: apps/v1
kind: Deployment
metadata:
name: ssl-exporter
labels:
name: ssl-exporter
spec:
selector:
matchLabels:
name: ssl-exporter
template:
metadata:
labels:
name: ssl-exporter
spec:
containers:
- name: ssl-exporter
image: docker.io/xjulio/ssl-exporter:2.4.1-numeric-userid
ports:
- containerPort: 9219
securityContext:
runAsNonRoot: true
Applying k8s manifest:
kubectl apply -f https://gist.githubusercontent.com/xjulio/e971fd4fed0a1c2351ed0f26f1f30dba/raw/5e2bf299e2d4709e6d47b3afe643819cd05d6e24/ssl-exporter-deploy.yaml
Checking pods:
kubectl get po -l name=ssl-exporter
NAME READY STATUS RESTARTS AGE
ssl-exporter-85457876ff-mwqmc 1/1 Running 0 8s
kubectl describe po ssl-exporter-85457876ff-mwqmc
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 50s default-scheduler Successfully assigned default/ssl-exporter-85457876ff-mwqmc to node3
Normal Pulled 49s kubelet Container image "docker.io/xjulio/ssl-exporter:2.4.1-numeric-userid@sha256:bd53b4d5ac73308a3c9ed47e896e752c2cab9bd58e88a258aef4113635c45dc9" already present on machine
Normal Created 48s kubelet Created container ssl-exporter
Normal Started 48s kubelet Started container ssl-exporter