-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use non-root user in docker images #85
Conversation
Run as non-root user and group In the unlikely event that you are currently persisting data to disk then this change may break file read/write access due to a change in the UID/GID that the oauth2_proxy process runs as. Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users. An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required. Least access privileges. Close: #78 Locally with Docker (`-version`): ``` $ ps aux | grep oauth2 2000 25192 6.0 0.0 0 0 ? Ds 15:53 0:00 [oauth2_proxy] ``` Running in Kubernetes 1.13 with the following also specified: ``` securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 10001 ``` ``` $ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh /opt $ whoami whoami: unknown uid 10001 /opt $ ps aux PID USER TIME COMMAND 1 10001 0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180 11 10001 0:00 sh 17 10001 0:00 ps aux ``` <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] My change requires a change to the documentation or CHANGELOG. - [x] I have updated the documentation/CHANGELOG accordingly. - [x] I have created a feature (non-master) branch for my PR.
@JoelSpeed - no saving old PR. :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for reopening this! I've made a suggestion to improve the changelog, let me know what you think on that, happy with everything else
Co-Authored-By: kskewes <karl.skewes@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Thanks 😄
Description
Run as non-root user and group
In the unlikely event that you are currently persisting data to disk then this
change may break file read/write access due to a change in the UID/GID that the
oauth2_proxy process runs as.
Motivation and Context
Run as non-root system user and group
oauth2proxy
with UID/GID2000
to avoid clashing with typical local users.An alternative to creating a separate user is to
chown binary andrun asUSER nobody
, which also works, can amend this PR if required.Least access privileges.
Close: #78
How Has This Been Tested?
Locally with Docker (
-version
):Running in Kubernetes without
securityContext
:Running in Kubernetes 1.13 with the following also specified: