docker: Default to non-root uid/gid in images #4295
Comments
|
Alright, so starting from next release (v0.39.0):
|
|
@anderseknert the changes needed for this are already in afaict. Can we close this ? |
|
Not really. Rootless mode is not the default for the standard image. This ticket can be closed when:
What's been done so far is preparing for that by printing a warning from the next release and forward, plus made the |
|
Can we also update this quickstart to not need the image with privileges? 👉 https://github.com/open-policy-agent/opa-envoy-plugin/blob/8be224a995562e01c446f402285bbaabdbc68dc0/examples/istio/quick_start.yaml#L279 |
|
Indeed. We should additionally bind to port 8443 (or whatever) in the OPA container manifest, and have the Service do the 443->8443 port mapping. |
For the changelog: Breaking change: all OPA images now run with a non-root uid/gid. This means there is no longer a need for the -rootless image variant, and it has thus been decomissioned. If you were using the -rootless images before, you'll need to change your configuration to use the regular image (i.e. without the -rootless suffix). While the OPA images contain no other software (like a shell), running as root is still a bad practice. If you for some reason **must** run OPA with root privileges, this can still be achieved by explicitly setting the user, either with the `--user` argument for `docker run`, or in the `securityContext` of your Kubernetes pod spec. Fixes open-policy-agent#4295 Signed-off-by: Anders Eknert <anders@eknert.com>
|
In #5718, the standard OPA images have switched to uid/gid which is not 0. A note is added to the |
ashutosh-narkar
moved this from Planned - v0.52
to Planning - v0.53
in Open Policy Agent
ashutosh-narkar
moved this from Planning - v0.53
to Planning - v0.54
in Open Policy Agent
ashutosh-narkar
moved this from Planning - v0.54
to Planning - v0.55
in Open Policy Agent
|
I think that once we have merged #6086, we can close this as the following items will then have been done:
We are using non-root base images (and use the same user:group settings for clarity in #6086) also see #5540 #5787 #5718
#6086 completes this. I'm not really sure what if anything is still needed in opa-envoy #4295 (comment) but think we can move to an issue on that repo if still relevant? |
|
Following some discussion, I have now implemented this: #6091 feedback welcome. |
ashutosh-narkar
moved this from Planning - v0.58
to Planning - v0.59
in Open Policy Agent
ashutosh-narkar
moved this from Planning - v0.59
to Planning - v0.58
in Open Policy Agent
ashutosh-narkar
moved this from Planning - v0.58
to Planning - v0.59
in Open Policy Agent
All published OPA images now run with a non-root uid/gid. The uid:gid is set to 1000:1000 for all images. As a result there is no longer a need for the --rootless image variant hence it will not be published as part of future releases. This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user, either with the --user argument for docker run, or by specifying the securityContext in the Kubernetes Pod specification. Fixes: open-policy-agent#4295 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
All published OPA images now run with a non-root uid/gid. The uid:gid is set to 1000:1000 for all images. As a result there is no longer a need for the --rootless image variant hence it will not be published as part of future releases. This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user, either with the --user argument for docker run, or by specifying the securityContext in the Kubernetes Pod specification. Fixes: #4295 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
OPA users have a couple of options to choose from when it comes to Docker images. For any given release, we'll have these image versions published:
For various historic reasons, we've defaulted to uid/gid 0 (i.e. root) in the "default" image, providing a
-rootlessversion for those that wanted to opt out of that. Some time later the-staticversion appeared to be able to run from base images without glibc such as Alpine. This wasn't made-rootlessthough. Rather than adding a-static-rootlessas well, we should switch the default image run OPA as rootless by default, and allow users that need to run as root for some reason (like having to bind to port 443 without a service in front) to rather opt in to that. This should allow us to reduce the number of image variants, and provide better defaults.Users who still want or need to run OPA as the root user inside of the container, can easily do so via the
docker run --userflag, or by setting therunAsUser, and other approriate attributes on the securityContext in a Kubernetes pod.Suggested changes:
Since we're going slowly with this change, I hope it will give members of the OPA community time to make their voices heard if there is something more we need to consider before making this change.
It should be noted that with the exception of the
-debugimage, OPA does not provide a shell, or other commands, in its images. The change suggested here is to align with best practices, not to prevent any known issue or attack vector.The text was updated successfully, but these errors were encountered: