Add security context to Gatekeeper container #273
Conversation
deploy/gatekeeper.yaml
Outdated
| allowPrivilegeEscalation: false | ||
| runAsGroup: 3000 | ||
| runAsNonRoot: true | ||
| runAsUser: 2000 |
There was a problem hiding this comment.
what's the main reason for changing the uid here vs the one in the dockerfile: https://github.com/open-policy-agent/gatekeeper/blob/master/Dockerfile#L18
There was a problem hiding this comment.
Just to show that we can. Would you prefer them to be identical? I have no strong opinions either way.
There was a problem hiding this comment.
After deploying this change, I'm getting the following after I exec into the container:
groups: cannot find name for group ID 3000
$ id manager
uid=1000(manager) gid=999(manager) groups=999(manager)
There was a problem hiding this comment.
I'm not sure what the significance of that is or what response you're looking for.
Is your shell broken? Is there loss of functionality? Is it ugly?
There was a problem hiding this comment.
not a problem with my shell. but rather
runAsGroup: 3000failed because the group 3000 does not exist in /etc/group.- I think we should be consistent and use the
manageruser with uid 1000 as we have currently in the Dockerfile. Otherwise as you can see from my shell output, there is amanageruser with uid 1000, but it is not used to run the manager process. Let's be consistent here if we can.
There was a problem hiding this comment.
SGTM, so UID=1000 GID=999?
Signed-off-by: Max Smythe <smythe@google.com>
maxsmythe
force-pushed
the
security-context
branch
from
a25f1a0 to
af5c6c3
Compare
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe smythe@google.com