Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Kritis to run as non-root #512

Open
ba32107 opened this issue May 20, 2020 · 8 comments
Open

Allow Kritis to run as non-root #512

ba32107 opened this issue May 20, 2020 · 8 comments

Comments

@ba32107
Copy link
Contributor

ba32107 commented May 20, 2020

Hi!

I am experimenting with Kritis within my company. During the POC phase, I noticed that the Kritis validation webhook must run as root. When running as a non-privileged user, I got permission denied errors that were originating from somewhere around here:
https://github.com/grafeas/kritis/blob/master/cmd/kritis/admission/main.go#L160

Unfortunately, I do not have the exact error message and stack trace handy as of now, but I can dig it up if it helps. I believe Kritis was unable to access the .kubeconfig directory.

Running as root is something we don't allow according to our policies. I managed to run the project by temporarily disabling this policy, but this is something we'd prefer not to do. Are there any plans to allow Kritis to run as non-root?
@nenaddedic
Copy link
Contributor

Yes, please, if it's not too much trouble, then include the error message / stack trace.

@ba32107
Copy link
Contributor Author

ba32107 commented May 20, 2020

Sure thing - I will get back to you tomorrow with details. Thanks

@ba32107
Copy link
Contributor Author

ba32107 commented May 21, 2020
edited

The error is:

1 main.go:132] starting background job: Error creating kubeConfig: Error loading config file "/root/.kube/config": open /root/.kube/config: permission denied

There is no stack trace, but I believe the error originates from somewhere around here.

This is with running version kritis-server:5e94b81b2d686303e6cd49653c80c36e290262cf.

Thanks

@ba32107
Copy link
Contributor Author

ba32107 commented May 26, 2020

Hi @nenaddedic, did you have any chance to have a look at this? I'd be interested to see if we can make this work somehow without running as root. Thanks.

@nenaddedic
Copy link
Contributor

I have looked only a little bit, haven't tried to reproduce. What kind of cluster were you running kritis on? Was it minikube?

@ingvarm-gr
Copy link

This is a cluster running 1.14 on CoreOS, with assorted RBAC, pod-security policies, and OPA validation blocking "application namespaces" from running processes with root privilege as this poses a risk for pods to escape the docker containment.

@nenaddedic
Copy link
Contributor

@ba32107 @ingvarm-gr have you had any luck getting this to work as non-root? I haven't had a chance to investigate unfortunately.

@ba32107
Copy link
Contributor Author

ba32107 commented Jun 10, 2020

Hi @nenaddedic, no unfortunately we haven't had a chance either. For now we are working on Grafeas, but planning to look at Kritis soon. I will update once I know more, but if you have a chance to look at this meanwhile, that would be a lot of help for us.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nenaddedic @ba32107 @ingvarm-gr