Current guidance on how to run containerized CRDB clusters has users running as root in the container

[keith-mcclellan]

Keith McClellan (keith-mcclellan) commented:

Our current guidance, instructions, config files, etc for running CRDB in a containerized environment has cockroachdb running as root inside the container. This is a security vulnerability and needs to be addressed as soon as possible.

I checked our default configs and instructions for Helm, StatefulSets (static config), and Docker all run the crdb container as the root user. There’s also no mention of changing this in our Production Checklist. This was discovered during the work packaging the new K8s operator for OpenShift because it detects that we're trying to exec inside the container as root.

Jira Issue: DOC-772

[jseldess]

This relates to #7697, I think.

@keith-mcclellan, are you referring to all our Kubernetes, docker, and Mesosphere tutorials, or something in particular?

[keith-mcclellan]

It appears to be everything, although I didn't check every single doc (for example, I didn't check the Mesosphere docs). I checked the k8s deployment docs including the statefulset, the default behavior in the helm chart, and our docker instructions.

[jseldess]

Related Slack thread: https://cockroachlabs.slack.com/archives/CGA9F858R/p1600278757094400

@johnrk, @piyush-singh, this needs your eyes in terms of prioritization with @taroface.

[aaron-crl]

cc @thtruo for visibility and tracking.

[taroface]

@keith-mcclellan Thanks for filing.

Would this mean adding a --user flag to this command in the manifest we use to initialize the cluster?

Can you help me understand where the Helm chart/values would need to change? I can't quite tell at first glance.

[keith-mcclellan]

I wouldn't be surprised if we simply can't do this with the current helm chart, I don't see any code in there regarding this type of security setting. We may need a related enhancement there. In effect we need our docs for k8s to set a security context for the user and group the container will run as. See k8s docs on this topic here: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/