Handling Containers that runAsRoot

[andrewg-xyz]

There is software (and containers) that seem to require running as root (tip: you shouldn't) We will proactively encourage upstream to avoid this bad practice Ex. confluent#364).

Do we actively prohibit containers running as root?

Tasks

Preview Give feedback

1. Introduce guidelines for contains that require root
2. Require nonRoot for Gold packages
3. Introduce should nonRoot for Bronze

(summary of offline discussion)

Summary of Discussion on Root Containers in Kubernetes

The team engaged in a conversation regarding the challenges and risks of running containers as root in Kubernetes, prompted by @corang's concern about packages requiring root.

• Initial Concern: @corang pointed out the difficulty of avoiding root containers, asking if running as root is a show-stopper for apps in the appstore.

• General Consensus:

  • @docandrew and @TheFutonEng mentioned that their apps currently require root due to specific functionalities (e.g., capturing traffic or running web servers), but they hoped root containers would be discouraged, not forbidden.
  • @andrewg-xyz clarified that the team should discourage root containers and address them case-by-case. While not illegal, root containers should be mitigated or limited whenever possible, especially for security purposes.

• Security Risk Discussion:

  • @corang expressed that running root containers in Kubernetes poses a significant security risk. @TheFutonEng shared a scenario where avoiding root would require substantial upstream contributions, delaying project timelines.
  • @andrewg-xyz emphasized that while root containers are highly discouraged, exceptions can be made depending on the context and mitigations.

• Mitigation Suggestions:

  • @bburky proposed exploring a Kubernetes beta feature for user namespaces as a mitigation strategy. This feature remaps container root users to non-root users on the host, reducing the security risks.
    • Kubernetes Blog: User Namespaces: https://kubernetes.io/blog/2024/04/22/userns-beta/
    • Kubernetes Docs: User Namespaces: https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/
  • @andrewg-xyz and @tomclapper discussed other mitigation strategies, including running root containers in a dedicated, separate cluster.

• Conclusion: The discussion indicated a need to balance security with functionality, using mitigations like user namespaces or separate clusters. The topic of root containers might influence badging levels in the appstore, with stricter rules (e.g., Gold or Silver level) being considered for apps running root containers. Further input was requested from experts like @bburky and @tomclapper to refine the team's stance on the matter.

[corang]

I think I'm on team "Must be non-root for silver where intrinsic application functionality doesn't require it"

[corang]

I'd also like to say that any containers running as root or root-ish need to have justifications/explanations, even at bronze.

[zachariahmiller]

Completely agree with @corang on this regarding his two comments.