unprivileged images for Kubernetes

[faust64]

As discussed in traefik/traefik-helm-chart#336 (comment)

Currently, it is not possible to start traefik, running as an unprivileged user, yet binding on privileged ports.

This could be done, with something like the following:

Worteks@25acba8

Though as stated in the commit message, it could have implications on existing unprivileged deployments.

Looking at how Nginx does this: their default image doesn't have that capability enabled.
The Nginx ingress controller uses another image, that does set it:

https://github.com/nginxinc/kubernetes-ingress/blob/master/build/DockerfileForAlpine#L14

Not sure that's relevant for Traefik.
At least, we would have to ensure helm charts would be updated accordingly - and any potential doc or template deploying Traefik to run as an unprivileged user. Considering the image starts as root by default: those are edge cases. But helm defaults are concerned, PodSecurityPolicy would need patching.

Now, maybe that's not necessary, nor wanted. Traefik perfectly runs as unprivileged, when binding on ports above 1024. As long as we can map host port to a different container port, this would allow to expose Traefik on ports 80/443, using Kubernetes hostNetwork - which is the most common way to expose ingresses, on bare metal. Which should be doable, assuming I can get approval for my PR:

https://github.com/traefik/traefik-helm-chart/pull/337/files

[dm17]

I figured most official docker images supported using docker run --user - is this not the case? Many hardening guides recommend running without root privileges inside of the docker containers, so is there a reason Traefik does not benefit from running as non-root?

[faust64]

I figured most official docker images supported using docker run --user - is this not the case?

Docker options have nothing to do with it.

Introducing my issue, I wrote:

running as an unprivileged user, yet binding on privileged ports.

This has nothing to do with Docker or OCI runtimes specifics.

When I run some Nginx ingress controller, as unprivileged: I can bind to privileged ports (below 1024).
A few unprivileged processes, containerized or otherwise, are meant to bind on privileged ports while running as non-root.

The traefik container image doesn't allow for this. Although that's something we could do with Worteks@25acba8

On the other hand, forcing that changes onto users that run Traefik unprivileged could be problematic.
In terms of Kubernetes, using PodSecurityConstraints: if an unprivileged container wants to execute binaries that have that cap_net_bind_service=+ep capabilities: I need to configure an exception.

Then again, the current Dockerfile doesn't set any USER: default would then be to run as root. The traefik-helm-chart could implement the specifics of such a breaking change, while we might document it for any other kind of deployment, ...
While, realistically, won't work ... Raise your hand if you ever upgraded something without reading docs, filed an issue on GitHub when it crashes, ... and only then: check the release notes ✋ ...

IDK. That's up for debate. Hence this post.

[dm17]

This seems to explain how to do it and also justifies adding it to the official image: https://community.traefik.io/t/traefik-as-non-root-should-be-default/16573/2