Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error "is running as root" with "runAsNonRoot: true" #7

Open
nlamirault opened this issue Oct 1, 2020 · 3 comments
Open

Error "is running as root" with "runAsNonRoot: true" #7

nlamirault opened this issue Oct 1, 2020 · 3 comments

Comments

@nlamirault
Copy link

nlamirault commented Oct 1, 2020
edited
Loading

I've got an error "oauth2-proxy in the Deployment oauth2-proxy is running as root" while i use :

runAsNonRoot: true
runAsUser: 2000

the yaml :

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy
  labels:
    app: oauth2-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oauth2-proxy
  template:
    metadata:
      labels:
        app: oauth2-proxy
    spec:
      containers:
      - args:
        - --http-address=0.0.0.0:4180
        - --config=/etc/oauth2-proxy/oauth2-proxy.toml
        - --upstream=file:///dev/null
        - --pass-host-header=true
        - --pass-user-headers=true
        - --set-xauthrequest=true
        - --pass-basic-auth=true
        image: quay.io/oauth2-proxy/oauth2-proxy:v6.1.1
        livenessProbe:
          httpGet:
            path: /ping
            port: http
        name: oauth2-proxy
        ports:
        - containerPort: 4180
          name: http
        readinessProbe:
          httpGet:
            path: /ping
            port: http
        resources:
          limits:
            cpu: 50m
            memory: 50Mi
          requests:
            cpu: 10m
            memory: 20Mi
        volumeMounts:
        - name: config
          mountPath: /etc/oauth2-proxy
          readOnly: true
      securityContext:
        fsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
      serviceAccountName: oauth2-proxy
      volumes:
      - name: config
        configMap:
          name: oauth2-proxy
❯ conftest test resources/identity/oauth2-proxy/base/deployment.yaml -p addons/policies/instrumenta/policy/
FAIL - resources/identity/oauth2-proxy/base/deployment.yaml - oauth2-proxy in the Deployment oauth2-proxy doesn't drop all capabilities
FAIL - resources/identity/oauth2-proxy/base/deployment.yaml - oauth2-proxy in the Deployment oauth2-proxy is not using a read only root filesystem
FAIL - resources/identity/oauth2-proxy/base/deployment.yaml - oauth2-proxy in the Deployment oauth2-proxy allows priviledge escalation
FAIL - resources/identity/oauth2-proxy/base/deployment.yaml - oauth2-proxy in the Deployment oauth2-proxy is running as root

30 tests, 26 passed, 0 warnings, 4 failures, 0 exceptions
@srenatus
Copy link

srenatus commented Oct 1, 2020

Isn't securityContext supposed to be indented a level more, i.e., on the same level as args? Will this change your results?

@jalseth
Copy link

jalseth commented Oct 2, 2020

@srenatus securityContext can be set at both the Pod and Container level. They map to PodSecurityContext and SecurityContext types respectively which have different options. In this case though, the policy is checking the security context of the container so it needs to be one level more indented.

@srenatus
Copy link

srenatus commented Oct 2, 2020

Yeah so this is asking for a policy change, then? So that the violation code cares for both places where this could be set?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nlamirault @srenatus @jalseth