Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use numeric uid:gid in Dockerfile to support Tanzu's PSP #720

Merged
merged 1 commit into from
Feb 21, 2024
Merged

Use numeric uid:gid in Dockerfile to support Tanzu's PSP #720

merged 1 commit into from
Feb 21, 2024

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Feb 14, 2024
edited

Motivation

Tanzu Kubernetes Grid 1.22.9 requires that docker images have numeric userids. Running an distroless nonroot image with "USER nonroot:nonroot" will fail to start with this error when default pod security policy is enabled:
"Error: container has runAsNonRoot and image has non-numeric user (nonroot), cannot verify user is non-root"

Modifications

Replace USER nonroot:nonroot with USER 65532:65532.
Similar solution is commonly used for images using distroless nonroot base image.
For example, https://github.com/grafana/loki/blob/main/operator/Dockerfile#L26

Documentation

Check the box below.

Need to update docs?

  • doc-required

    (If you need help on updating docs, create a doc issue)

  • no-need-doc

    (Please explain why)

  • doc

    (If this PR contains doc changes)

@lhotari
Use numeric uid:gid in Dockerfile to support Tanzu's PSP
ead7a7b 
- Fixes issue
  "Error: container has runAsNonRoot and image has non-numeric user (nonroot), cannot verify user is non-root"
@lhotari lhotari requested review from nlu90, freeznet and a team as code owners February 14, 2024 09:13
@github-actions github-actions bot added the no-need-doc This pr does not need any document label Feb 14, 2024
@lhotari
Copy link
Member Author

lhotari commented Feb 21, 2024

Please review and merge @freeznet @jiangpengcheng @nlu90 . Thanks!

@lhotari lhotari merged commit 8ef268c into master Feb 21, 2024
12 of 15 checks passed
@lhotari lhotari deleted the lh-numeric-uid-gid-for-tanzu-support branch February 21, 2024 12:02
@jiangpengcheng jiangpengcheng added this to the 2023-03 v0.20.0 milestone Mar 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@freeznet freeznet freeznet approved these changes

@nlu90 nlu90 Awaiting requested review from nlu90 nlu90 is a code owner

@jiangpengcheng jiangpengcheng Awaiting requested review from jiangpengcheng

Assignees

@lhotari lhotari

Labels
m/2024-02 no-need-doc This pr does not need any document
Projects
None yet
Milestone
2023-03 v0.20.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@lhotari @freeznet @jiangpengcheng