-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running the container as non-root #78
Comments
This was referenced Mar 2, 2019
aigarius
pushed a commit
to aigarius/oauth2_proxy
that referenced
this issue
Mar 8, 2019
Run as non-root user and group In the unlikely event that you are currently persisting data to disk then this change may break file read/write access due to a change in the UID/GID that the oauth2_proxy process runs as. Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users. An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required. Least access privileges. Close: oauth2-proxy#78 Locally with Docker (`-version`): ``` $ ps aux | grep oauth2 2000 25192 6.0 0.0 0 0 ? Ds 15:53 0:00 [oauth2_proxy] ``` Running in Kubernetes 1.13 with the following also specified: ``` securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 10001 ``` ``` $ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh /opt $ whoami whoami: unknown uid 10001 /opt $ ps aux PID USER TIME COMMAND 1 10001 0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180 11 10001 0:00 sh 17 10001 0:00 ps aux ``` <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] My change requires a change to the documentation or CHANGELOG. - [x] I have updated the documentation/CHANGELOG accordingly. - [x] I have created a feature (non-master) branch for my PR.
Will this change be included in the next release? |
Yes, I will be creating a release soon, ideally within a week |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
The container only contains a single binary, and therefore should be able to run without the need for root.
Current Behavior
The container runs as root, as there is no USER defined in the Dockerfile. This is not best practice, and opens unnecessary conversations with people who utter the word 'security' every few words ;)
Possible Solution
Add a USER line in the dockerfile.
Steps to Reproduce (for bugs)
kubectl exec -i -t <pod> -- ash
whoami
showsroot
Context
Trying to use oauth2-proxy in a client environment running in Azure. Currently using Kubernetes. Client security team are very conscious of containers running as root.
Your Environment
Azure AKS, Kubernetes cluster, oauth2-proxy deployed using official helm chart found at https://github.com/helm/charts/tree/master/stable/oauth2-proxy
aks: Kubernetes v1.11.6
repository: "quay.io/pusher/oauth2_proxy"
tag: "v3.1.0"
The text was updated successfully, but these errors were encountered: