Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create a non-root user for cilium-related containers #23217

Open
3 of 8 tasks
michi-covalent opened this issue Jan 20, 2023 · 3 comments
Open
3 of 8 tasks

create a non-root user for cilium-related containers #23217

michi-covalent opened this issue Jan 20, 2023 · 3 comments
Labels
kind/community-report This was reported by a user in the Cilium community, eg via Slack. kind/feature This introduces new functionality. pinned These issues are not marked stale by our issue bot. sig/agent Cilium agent related. stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.

Comments

@michi-covalent
Copy link
Contributor

michi-covalent commented Jan 20, 2023
edited by sayboras

Is there an existing issue for this?

  • I have searched the existing issues

What happened?

investigate whether it's feasible to run cilium-related containers as a non-root user.

ref: https://www.tenable.com/audits/items/CIS_Docker_v1.3.1_L1_Docker_Linux.audit:bdcea17ac365110218526796ae3095b1

Cilium Version

N/A

Kernel Version

N/A

Kubernetes Version

N/A

Sysdump

No response

Relevant log output

No response

Anything else?

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@michi-covalent michi-covalent added kind/bug This is a bug in the Cilium logic. needs/triage This issue requires triaging to establish severity and next steps. kind/community-report This was reported by a user in the Cilium community, eg via Slack. labels Jan 20, 2023
@aanm aanm added kind/feature This introduces new functionality. sig/agent Cilium agent related. and removed kind/bug This is a bug in the Cilium logic. needs/triage This issue requires triaging to establish severity and next steps. labels Jan 26, 2023
@github-actions
Copy link

This issue has been automatically marked as stale because it has not
had recent activity. It will be closed if no further activity occurs.

@github-actions github-actions bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Mar 28, 2023
@michi-covalent michi-covalent added the pinned These issues are not marked stale by our issue bot. label Mar 28, 2023
@sayboras
Copy link
Member

Add more item for cilium/proxy image as we recently have this PR merged, thanks to @mhofstetter

#25081

sayboras added a commit to cilium/proxy that referenced this issue Feb 21, 2024
@sayboras
docker: Use distroless as base image
1ce485c 
This is to improve the security posture of cilium/proxy running in the
deamonset mode. Distroless images come in different variants and the one
being used here is the most basic one that only contains the following:

- ca-certificates
- A /etc/passwd entry for a root, nonroot and nobody users
- A /tmp directory
- tzdata

Relates: cilium/cilium#23217
@sayboras sayboras mentioned this issue Feb 21, 2024
Closed
sayboras added a commit to cilium/proxy that referenced this issue Feb 21, 2024
@sayboras
docker: Use distroless as base image
f1fd337 
This is to improve the security posture of cilium/proxy running in the
deamonset mode. Distroless images come in different variants and the one
being used here is the most basic one that only contains the following:

- ca-certificates
- A /etc/passwd entry for a root, nonroot and nobody users
- A /tmp directory
- tzdata

Relates: cilium/cilium#23217
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit to cilium/proxy that referenced this issue Feb 21, 2024
@sayboras
docker: Add non-root user in Dockerfile
5628f44 
This is to improve the security posture of cilium/proxy running in the
deamonset mode.

Relates: cilium/cilium#23217
sayboras added a commit that referenced this issue Feb 21, 2024
@sayboras
envoy: Run as non-root user in deamonset mode
3b4abb7 
Relates: cilium/proxy#568
Relates: #23217
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras sayboras mentioned this issue Feb 21, 2024
Closed
@sayboras
Copy link
Member

sayboras commented Mar 1, 2024

One related note from upstream

kubernetes/website@7fd32af#r1504714307

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/community-report This was reported by a user in the Cilium community, eg via Slack. kind/feature This introduces new functionality. pinned These issues are not marked stale by our issue bot. sig/agent Cilium agent related. stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aanm @sayboras @michi-covalent