fix: specify nonroot uid for manager #420
Conversation
| @@ -3,6 +3,6 @@ | |||
| FROM gcr.io/distroless/static:nonroot | |||
| WORKDIR / | |||
| COPY manager . | |||
| USER nonroot:nonroot | |||
| USER 65532:65532 | |||
There was a problem hiding this comment.
This user id is from kubernetes-sigs/kubebuilder#1635 which is the part of the kubebuilder v3.
There was a problem hiding this comment.
但是我看harbor这边用的都是10000
是不是我们应该统一
There was a problem hiding this comment.
This is the user id to run the harbor-operator itself, not the user id to run the harbor.
I think we should keep it the same with kubebuilder because these files may be generated by the kubebuilder.
There was a problem hiding this comment.
I cannot read what @bitsf wrote,
But I agree with @heww : we should keep the nonroot user:
https://github.com/GoogleContainerTools/distroless/blob/master/examples/nonroot/BUILD#L17
Why using it here?
IMO The change should only be be applied to files under config/.
There was a problem hiding this comment.
This PR lets the harbor operator can run in the k8s cluster with PSP enabled.
The config/manager/manager.yaml was changed with runAsUser: 65532
There was a problem hiding this comment.
I got it, but the dockerfile does not require any changes.
The user id should be changed on runtime, not at buildtime.
The user 65532 does not exist in gcr.io/distroless/static:nonroot image.
See kubernetes-sigs/kubebuilder#1635 for more info Signed-off-by: He Weiwei <[email protected]>
See kubernetes-sigs/kubebuilder#1635 for more
info
Signed-off-by: He Weiwei [email protected]