Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jaeger-operator has root group #1336

Closed
UsaninMax opened this issue Dec 9, 2020 · 4 comments
Closed

jaeger-operator has root group #1336

UsaninMax opened this issue Dec 9, 2020 · 4 comments
Labels
enhancement New feature or request

Comments

@UsaninMax
Copy link
Contributor

UsaninMax commented Dec 9, 2020
edited
Loading

Hello, I use Jaeger with Kubernetes and our security doesn't allow us to use any pod/containers with root access
I am noticed that security context was parameterized for Agents https://github.com/jaegertracing/jaeger-operator/pull/1190/files that's great.
Meanwhile the jaeger-operator itself has own user and by default root group
https://github.com/jaegertracing/jaeger-operator/blob/master/build/Dockerfile#L28
the result is:

bash-4.4$ id
uid=1001 gid=0(root) groups=0(root)

Could you please help to run jaeger-operator as non root ?
@github-actions github-actions bot added the needs-triage New issues, in need of classification label Dec 9, 2020
@jpkrohling
Copy link
Contributor

Interesting observation. I'm not sure I fully understand the attack vector this would open, but I don't see a problem in changing it either. Would you mind opening a pull request, perhaps linking a best practices doc reference or a link to a Dockerfile being used by some other operator/project?

@jpkrohling jpkrohling added enhancement New feature or request and removed needs-triage New issues, in need of classification labels Dec 9, 2020
@UsaninMax
Copy link
Contributor Author

@jpkrohling
https://kubernetes.io/docs/concepts/security/pod-security-standards/

Non-root groups (optional) | Containers should be forbidden from running with a root primary or supplementary GID.

@jpkrohling
Copy link
Contributor

Cool! Would you open a PR with the proposal?

This was referenced Dec 9, 2020
Closed
Merged
mergify bot pushed a commit that referenced this issue Dec 10, 2020
@UsaninMax
set non root group (#1339)
7d8cab9 
Based on #1336 (comment)
@pavolloffay
Copy link
Member

This was fixed during migration to the newer operator-sdk version. Please re-open if otherwise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jpkrohling @UsaninMax @pavolloffay