Skip to content

possible to run apicurio-registry-mssql container without root permissions ; userid>999 #3258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
MrRedHead opened this issue Apr 4, 2023 · 0 comments · Fixed by #3261
Closed

possible to run apicurio-registry-mssql container without root permissions ; userid>999 #3258

MrRedHead opened this issue Apr 4, 2023 · 0 comments · Fixed by #3261
Labels
area/storage type/enhancement New feature or request

Comments

@MrRedHead
Copy link

Feature or Problem Description

The docker container apicurio-registry-mssql runs under user jboss and root group.

# id
uid=185(jboss) gid=0(root) groups=0(root)

this is not possible in a hardended rke2 environment due cis 1.6 and pod security policy global-restricted-psp where it isn't possible to run containers with userid/grpid < 1000 and root permissions

Proposed Solution

run the apicurio-registry-mssql docker container without root permissions (Non-Privileged User) and userid/grpid>999 which is a obligation in a restricted / hardenend environment

Additional Context

https://snyk.io/blog/10-kubernetes-security-context-settings-you-should-understand/
https://github.com/Apicurio/apicurio-registry/blob/main/distro/docker/src/main/docker/Dockerfile.mssql.jvm
@MrRedHead MrRedHead added the type/enhancement New feature or request label Apr 4, 2023
jsenko added a commit to jsenko/apicurio-registry that referenced this issue Apr 5, 2023
@jsenko
feat: do not run images under root UID/GID
f62ef73 
Resolves Apicurio#3258
@jsenko jsenko mentioned this issue Apr 5, 2023
Merged
jsenko added a commit to jsenko/apicurio-registry that referenced this issue Apr 5, 2023
@jsenko
feat: do not run images under root UID/GID
57072ce 
Resolves Apicurio#3258
jsenko added a commit to jsenko/apicurio-registry that referenced this issue Apr 6, 2023
@jsenko
feat: do not run images under root UID/GID
9f2c49b 
Resolves Apicurio#3258
riprasad pushed a commit to jsenko/apicurio-registry that referenced this issue Apr 27, 2023
@jsenko @riprasad
feat: do not run images under root UID/GID
f5926db 
Resolves Apicurio#3258
jsenko added a commit to jsenko/apicurio-registry that referenced this issue Apr 27, 2023
@jsenko
feat: do not run images under root UID/GID
3ffb191 
Resolves Apicurio#3258
EricWittmann pushed a commit that referenced this issue May 29, 2023
@jsenko @riprasad
feat: do not run images under root UID/GID (#3261)
589d897 
* feat: do not run images under root UID/GID

Resolves #3258

* Support arbitrary user ids

---------

Co-authored-by: Rishab Prasad <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/storage type/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: do not run images under root UID/GID jsenko/apicurio-registry
1 participant
@MrRedHead