-
Notifications
You must be signed in to change notification settings - Fork 35
/
_use_non_root.md.erb
51 lines (40 loc) · 2.33 KB
/
_use_non_root.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<%
=begin
apps: none
platforms: kubernetes
id: use_non_root
title: Use non-root containers
category: configuration
weight: 10
highlight: 10
=end %>
Ensuring that a container is able to perform only a very limited set of operations is vital for production deployments. This is possible thanks to the use of non-root containers, which are executed by a user different from root. Although creating a non-root container is a bit more complex than a root container (especially regarding filesystem permissions), it is absolutely worth it. Also, in environments like Openshift, [using non-root containers is mandatory](https://engineering.bitnami.com/articles/running-non-root-containers-on-openshift.html).
In order to make your Helm chart work with non-root containers, add the [*securityContext*](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) section to your *yaml* files.
This is what we do, for instance, in the Bitnami Elasticsearch Helm chart. This chart deploys several Elasticsearch *StatefulSets* and *Deployments* (data, ingestion, coordinating and master nodes), all of them with non-root containers. If we check the master node *StatefulSet*, we see the following:
~~~
spec:
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- end }}
~~~
The snippet above changes the permissions of the mounted volumes, so the container user can access them for read/write operations. In addition to this, inside the container definition, we see another *securityContext* block:
~~~
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- end }}
~~~
In this part we specify the user running the container. In the *values.yaml* file, we set the default values for these parameters:
~~~
## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
securityContext:
enabled: true
fsGroup: 1001
runAsUser: 1001
~~~
With these changes, the chart will work as non-root in platforms like GKE, Minikube or Openshift.
### Next steps: Implement best practices to create production-ready Helm charts
Learn more about the best practices to create production-ready Helm charts in [this tutorial](https://docs.bitnami.com/tutorials/production-ready-charts/#use-non-root-containers).