Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kube lint #39

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Kube lint #39

wants to merge 4 commits into from

Conversation

jkremser
Copy link

before this change:

kube-linter lint .
KubeLinter 0.2.3

charts/coredns/templates/deployment.yaml: (object: <no namespace>/test-release-coredns apps/v1, Kind=Deployment) container "coredns" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in the container securityContext.)

charts/coredns/templates/deployment.yaml: (object: <no namespace>/test-release-coredns apps/v1, Kind=Deployment) container "coredns" is not set to runAsNonRoot (check: run-as-non-root, remediation: Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.)

after this change:

kube-linter lint .
KubeLinter 0.2.3

No lint errors found!

Also updating the links in the comments, because the old ones no longer work (I've tried them all and they do work w/ the new k8s api docs)

@mrueg
Copy link
Collaborator

mrueg commented Sep 21, 2021

You'll need to bump the chart version as well. Please bump the minor version for this change.

@jkremser
Copy link
Author

You'll need to bump the chart version as well. Please bump the minor version for this change.

done

Signed-off-by: Jirka Kremser <jiri.kremser@gmail.com>
Signed-off-by: Jirka Kremser <jiri.kremser@gmail.com>
Signed-off-by: Jirka Kremser <jiri.kremser@gmail.com>
@jkremser
Copy link
Author

ah, I didn't realize you actually require the containers to run under root with the default settings. That's why the tests are currently failing, so I am setting it to runAsNonRoot: false

@jkremser
Copy link
Author

@mrueg @haad ping

@sarahhodne
Copy link
Contributor

I notice that the default CoreDNS deployment in EKS seems to have this security context:

securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    add:
      - NET_BIND_SERVICE
    drop:
      - all

Would that help get around some of the downsides of not being able to set runAsNonRoot: true?

@hagaibarel
Copy link
Collaborator

Hi, thanks for the PR. I believe that @sarahhodne approach will do the trick in working areound running as non root. Please rebase and bump the chart version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants