-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update platform containers to use non-root users #7872
Update platform containers to use non-root users #7872
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also change the port in kube/resources/webapp.yaml
?
Otherwise looks good.
After having updated the webbapp nginx image to expose port 8080 instead of 80
@jrhizor Of course, looks like I missed that. Should be updated now in the latest commit 115e3e4 EDIT: I see that the helm ci run failed. Trying to reproduce locally now What is the intention of the helm chart PR check? To have it be green in this pipeline, we'd need to update it to use images built for this PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
We need to fix the acceptance tests in #8612 to get this in all of the way. |
* Update platform containers to use non-root users * Update kube template for the webapp container to use port 8080 After having updated the webbapp nginx image to expose port 8080 instead of 80 * missing 80 -> 8080 changes Co-authored-by: alafanechere <augustin.lafanechere@gmail.com>
)" (airbytehq#8611) This reverts commit ebcaf2b.
What
Currently all of the airbyte containers run as root users, this is not really needed, as well as an issue in locked-down kubernetes clusters (such as ours) where there is a restrictive PodSecurityPolicy with runAsNonRoot set.
While it is possible to create our own wrapper images that creates and uses their own non-root users, it would be nice to have this upstream as well. I only added this change now for the core platform containers. It would be nice to have for all sources/destinations as well, but that would be a bigger change, and I wanted to see if this is something you want first.
How
For scheduler/worker/server, create a new user and switch to it in the Dockerfiles.
For the webapp, change base image to
nginxinc/nginx-unprivileged
, and use port 8080 instead of 80.There's a little bit of confusing config here, as port 8080 is used throughout the helm chart for the webapp, but it's served through 8000 in the docker-compose file, I kept the user facing behaviour the same for now.
Recommended reading order
Dockerfiles
Pre-merge Checklist
Expand the relevant checklist and delete the others.
New Connector
Community member or Airbyter
airbyte_secret
./gradlew :airbyte-integrations:connectors:<name>:integrationTest
.README.md
bootstrap.md
. See description and examplesdocs/SUMMARY.md
docs/integrations/<source or destination>/<name>.md
including changelog. See changelog exampledocs/integrations/README.md
airbyte-integrations/builds.md
Airbyter
If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.
/test connector=connectors/<name>
command is passing./publish
command described hereUpdating a connector
Community member or Airbyter
airbyte_secret
./gradlew :airbyte-integrations:connectors:<name>:integrationTest
.README.md
bootstrap.md
. See description and examplesdocs/integrations/<source or destination>/<name>.md
including changelog. See changelog exampleAirbyter
If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.
/test connector=connectors/<name>
command is passing./publish
command described hereConnector Generator
-scaffold
in their name) have been updated with the latest scaffold by running./gradlew :airbyte-integrations:connector-templates:generator:testScaffoldTemplates
then checking in your changes