Make image be rootless

[camilamacedo86]

Description

• Make the docker image be rootless

Motivation

• Deploying manager pod as non-root kubernetes-sigs/kubebuilder#1637
• Closes: run the process as no root #84
• Following the good practices. See; https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/

[paulfantom]

Since this is removing the whole vendor/ directory, could you also remove references to said directory from Makefile?

[paulfantom]

#87 is merged now, could you rebase?

Thank you for this enhancement! 💯

[paulfantom]

It seems that an e2e test scenario using deployment files from https://github.com/brancz/kube-rbac-proxy/tree/master/test/e2e/allowpaths is failing in CI.

Pod is failing to start due to:

Error: container has runAsNonRoot and image has non-numeric user (nonroot), cannot verify user is non-root
Error: container has runAsNonRoot and image will run as root

[paulfantom]

@camilamacedo86 Is there something left for this PR?

[camilamacedo86]

hi @paulfantom,

Thank you for your support and patient. I want to look better on how we could update the manifests as well. However, I need to stop to work on it. It is fine now and can get merged. Could you also to do. new release after this merge?

[harpratap]

@camilamacedo86 I tried this branch and I get this error - Error: failed to start container "kube-rbac-proxy": Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "chdir to cwd (\"/home/nonroot\") set in config.json failed: permission denied": unknown changing the user to 65532:65532 gives it permission to access home dir (https://github.com/GoogleContainerTools/distroless/blob/master/base/base.bzl#L7)

[camilamacedo86]

hi @harpratap,

I am unable to reproduce the error. could you please let us know how are you doing this test? also, these changes have been passing in these tests and against OCP as well. See: openshift#29. However, would be nice to know more about how are you testing it.

[paulfantom]

@harpratap ping

[harpratap]

@camilamacedo86 I'm trying out with this role & psp, forcing to user 65532 fixes it. Can check the error message in events when doing kubectl describe pod xx But unfortunately not able to reproduce this on Kind or minikube yet. I have a suspicion that this is happening because of our use of containerd instead of docker

[camilamacedo86]

Hi @harpratap,

Shows that the problem is because you are not using the changes made in the manifests. See: https://github.com/brancz/kube-rbac-proxy/pull/86/files#diff-c669d94f3867a7c8d5a54532c08e029bR61-R77. You came with this USER ID because of you check it out in https://github.com/GoogleContainerTools/distroless/blob/master/base/base.bzl#L7. But it is only a value for the const. We do not need to use this value to be able to use the distroless image.

[harpratap]

@camilamacedo86 I did try again after adding spec.securityContext.runAsUser: 1001 and spec.containers.allowPrivilegeEscalation: false but still results in the same error

[harpratap]

This seems to be a known issue in distroless:nonroot with containerd.
This repo has a reproducible test and looks like there is some ongoing activity to fix it upstream - containerd/cri#1397

It isn't related to this PR so this should be good to go, I'll watch for fixes in upstream. Thanks everyone!

[camilamacedo86]

Hi @harpratap,

could we get it merged and do a release with it? Also, just use the ID 65532 solved the problem for containerd/cri#1397 I have no objections to change it here as well. I will do that .

[paulfantom]

LGTM

[s-urbaniak]

LGTM too, thank you!