Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for running in non-root #2933

Closed
tomkerkhove opened this issue Apr 22, 2022 · 10 comments
Closed

Support for running in non-root #2933

tomkerkhove opened this issue Apr 22, 2022 · 10 comments
Assignees
Labels
feature All issues for new features that have been committed to security All issues related to security

Comments

@tomkerkhove
Copy link
Member

Currently we don't don't provide guidance around running in non-root and we should check if we can default to this in our Helm chart.

Related: #2891

@tomkerkhove tomkerkhove added feature All issues for new features that have been committed to security All issues related to security labels Apr 22, 2022
@tomkerkhove
Copy link
Member Author

@kedacore/keda-maintainers Do you know if KEDA core supports running as non-root or do we have a requirement for this?

@JorTurFer
Copy link
Member

I'd say that we are already using non-root image (distroless/non-root)

@JorTurFer
Copy link
Member

I think it was discussed sometime ago
#2139

@JorTurFer
Copy link
Member

But as summary, KEDA runs over non-root, users need to set the security context

@tomkerkhove
Copy link
Member Author

It begs the question, though, shouldn't we run KEDA as non-root by default? What's stopping us from doing secure-by-default?

@JorTurFer
Copy link
Member

I'd say that we can run KEDA with a safe securityContext as default yes (keeping the option to set other or empty like right now). @zroubalik any objection?

@zroubalik
Copy link
Member

+100 agree, we should default to non-root.

This change should be driven from kedacore/keda first.

@JorTurFer
Copy link
Member

What do we have to do there? Is it not enough just setting the securityContext here? Maybe to run with non-root also when it's deployed with make or manifests?

@zroubalik
Copy link
Member

Yeah, I'd put securityContext to the manifests in core.

@tomkerkhove
Copy link
Member Author

100% agree on doing that in KEDA core first and be secure-by-default.

Moving issue there to keep track of things.

@tomkerkhove tomkerkhove transferred this issue from kedacore/charts Apr 25, 2022
@tomkerkhove tomkerkhove moved this to Proposed in Roadmap - KEDA Core Apr 25, 2022
@tomkerkhove tomkerkhove moved this from Proposed to To Do in Roadmap - KEDA Core Apr 25, 2022
@JorTurFer JorTurFer self-assigned this Apr 26, 2022
@JorTurFer JorTurFer moved this from To Do to In Review in Roadmap - KEDA Core Apr 26, 2022
Repository owner moved this from In Review to Ready To Ship in Roadmap - KEDA Core Apr 29, 2022
@tomkerkhove tomkerkhove moved this from Ready To Ship to Done in Roadmap - KEDA Core Aug 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature All issues for new features that have been committed to security All issues related to security
Projects
Archived in project
Development

No branches or pull requests

3 participants