ceph: run operator with rook user

The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: #8734 Signed-off-by: Sébastien Han <seb@redhat.com>
rook · Sep 17, 2021 · e7e09ae · e7e09ae
1 parent 32984f7
commit e7e09ae
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 0 deletions.
diff --git a/cluster/charts/rook-ceph/templates/deployment.yaml b/cluster/charts/rook-ceph/templates/deployment.yaml
@@ -26,6 +26,9 @@ spec:
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         args: ["ceph", "operator"]
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 2016
         volumeMounts:
         - mountPath: /var/lib/rook
           name: rook-config

diff --git a/cluster/examples/kubernetes/ceph/operator-openshift.yaml b/cluster/examples/kubernetes/ceph/operator-openshift.yaml
@@ -431,6 +431,9 @@ spec:
         - name: rook-ceph-operator
           image: rook/ceph:master
           args: ["ceph", "operator"]
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 2016
           volumeMounts:
             - mountPath: /var/lib/rook
               name: rook-config

diff --git a/cluster/examples/kubernetes/ceph/operator.yaml b/cluster/examples/kubernetes/ceph/operator.yaml
@@ -354,6 +354,9 @@ spec:
         - name: rook-ceph-operator
           image: rook/ceph:master
           args: ["ceph", "operator"]
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 2016
           volumeMounts:
             - mountPath: /var/lib/rook
               name: rook-config

diff --git a/cluster/examples/kubernetes/ceph/toolbox.yaml b/cluster/examples/kubernetes/ceph/toolbox.yaml
@@ -22,6 +22,9 @@ spec:
           command: ["/tini"]
           args: ["-g", "--", "/usr/local/bin/toolbox.sh"]
           imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 2016
           env:
             - name: ROOK_CEPH_USERNAME
               valueFrom:

diff --git a/images/ceph/Dockerfile b/images/ceph/Dockerfile
@@ -26,5 +26,9 @@ COPY rook rookflex toolbox.sh set-ceph-debug-level /usr/local/bin/
 COPY ceph-monitoring /etc/ceph-monitoring
 COPY rook-external /etc/rook-external/
 COPY ceph-csv-templates /etc/ceph-csv-templates
+RUN useradd rook -u 2016 # 2016 is the UID of the rook user and also the year of the first commit in the project
+RUN mkdir -p /var/lib/rook
+RUN chown rook:rook /var/lib/rook
+USER 2016
 ENTRYPOINT ["/tini", "--", "/usr/local/bin/rook"]
 CMD [""]