New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use a UID rather than "nonroot" in the Dockerfile #6416
base: master
Are you sure you want to change the base?
Conversation
This matches distroless's nonroot UID: https://github.com/GoogleContainerTools/distroless/blob/main/base/base.bzl#L8 Also while here bump the distroless base version to match what "stable-slim" now refers to. Given coredns includes its own ca-certificates the difference is very minor. Signed-off-by: David Leadbeater <dgl@dgl.cx>
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #6416 +/- ##
==========================================
+ Coverage 55.70% 58.48% +2.78%
==========================================
Files 224 252 +28
Lines 10016 16545 +6529
==========================================
+ Hits 5579 9677 +4098
- Misses 3978 6279 +2301
- Partials 459 589 +130 ☔ View full report in Codecov by Sentry. |
👍 My only concern here is that there is an
This may change in future as it's been suggested to simplify the If those changes are approved, the feature for a custom base image
As you have k8s experience, if you're able to provide any input on why my PR triggered a test failure for it, that'd be appreciated: Given the description here for the incompatibility with k8s, the test suite must not be running as non-root in the same manner, but not as root either if it's actually dependent upon |
It would fail previously, as the user wouldn't exist, but UIDs always work, so now it would work, although run as nonroot without the user existing (which may or not break things, although most Go programs are okay with such things).
The incompatibility is only in enforcing it's running as non-root (a security check), "runAsNonRoot" checks that |
Isn't the UID already the default user though? The
Yes, I am familiar with this issue in Docker land too. I encountered it when using |
1. Why is this pull request needed and what does it do?
Since #5969 the Dockerfile has run coredns as
USER nonroot:nonroot
, but it's not possible to enforce that with Kubernetes as it can only check UIDs.It changes the UID in the user line to be 65532. This matches distroless's nonroot UID:
https://github.com/GoogleContainerTools/distroless/blob/main/base/base.bzl#L8
(Note that if the Dockerfile didn't override the USER line at all, it would pick up the uid from the distroless image, which uses a UID not a user but I've kept it as is, as it's clearer to someone reading the Dockerfile.)
Also while here bump the distroless base version to match what "stable-slim" now refers to. Given coredns includes its own ca-certificates the difference is very minor.
2. Which issues (if any) are related?
#5969
3. Which documentation changes (if any) need to be made?
n/a
4. Does this introduce a backward incompatible change or deprecation?
No.