Run Weblogic Server PODs with securityContext.runAsUser set to value higher than 10000 (controlled by Weblogic Kubernetes Operator)

[Michalski-Piotr]

Hello,

We are working with customer to deploy OSB/SOA Cloud Native Weblogic Domain in Kubernetes architecture (deployed to the Oracle OCI OKE Kubernetes engine).

There is customer requirement to add securityContext.runAsUser to the value higher than 10000.

 
* AVD-KSV-0020 (LOW): Container 'weblogic-server' of Pod 'osb-domain-adminserver' should set 'securityContext.runAsUser' > 10000
* AVD-KSV-0020 (LOW): Container 'weblogic-server' of Pod 'osb-domain-osb-server1' should set 'securityContext.runAsUser' > 10000
* AVD-KSV-0020 (LOW): Container 'weblogic-server' of Pod 'osb-domain-osb-server2' should set 'securityContext.runAsUser' > 10000

According Weblogic Kubernetes Operator and inside SOA/OSB Cloud Native image downloaded from Oracle Container Registry the image owner UID is set to 1000. Also SOA Cloud Native product by default is using UID uid=1000(oracle).

Reference: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/

Could you elaborate, if Weblogic Kubernetes Operator could operate on the Weblogic Domain that would be running on top of the image, where UID would be changed to 10001 (or other higher than 10000, what are possible consequences or if there are any additional configuration adjustements required, please?

Please also clarify if running with UID 1000 is somehow preferred from Weblogic Kubernetes Operator perspective, please?

Unfortunately without knowing WKO internals it is hard for us to do any risk assessesment about the consequences.

In case using UID higher than 10000 require any Enhancement Request for Weblogic Operator, we would like to raise this Enhancement Request in this issue.

Regards,
Piotr Michalski
Oracle CSS

[Michalski-Piotr]

Customer is using currently Weblogic Kubernetes Operator 4.2.9 and below versions:

[jshum2479]

The 1000 user id is just the default user created in images like those in container-registry repo, the uid is not a restriction from WKO perspective, we do default to it if no specific runAs is specified.

For running the container with a user id that is > 10k, two things need to happen.

1. The image(both base and auxiliary image) used need to have the user with id > 10k defined. WKO have no control of this unlike OpenShift which inject an user with uid range in high numbers underneath its security layer. You can use the ImageTool to build the images with a specific user. e.g.

imagetool.sh create (or createAuxImage) ..... --additionalBuildCommands newuser.txt. --chown myuser:root

where newuser.txt

[inital-build-commands]
USER root
RUN useradd myuser -u 10001 -G root

or you can pre-create your own OS image with the specific user / group then you can use it with --fromImage (without using the additionalBuildCommands. The key is using --chown which changes the user/group ownership of the created contents

2. Specify containerSecurityContext with runAsUser/Group in domain.spec.serverPod.containerSecurityContext.

You are not required to user root as group. This is just the OpenShift convention to inject a user with an id and group root, so that any directory created have group write permission regardless of the generated uid.

Here are the documentation for the additionalBuildCommands usage

https://oracle.github.io/weblogic-image-tool/userguide/tools/create-image/#--additionalbuildcommands

[Michalski-Piotr]

Hi @jshum2479,
thank you. We would be testing this setup in customer environment, when customer would be ready to implement this change.
Regards,
Piotr Michalski

[rjeberhard]

Our testing shows that the provided steps work. Please feel free to reopen if customer testing shows an issue or open a new issue for any additional questions or requests.