-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RunAs unprivileged user #235
Comments
I believe it is already supported in the sense that you can run a Distroless-based image as some other user. Is your question that the image should default to a non-root user? If yes, then which UID is safe on all systems? |
@mariusgrigoriu yes, I meant as a default value. I think something above 1000 is safe, unless there's something I am missing. |
I've seen user accounts in the 5000s for GKE/COS. Other systems and their admins may decide on other UID ranges. Seems like a base image should be able to operate under any UID according to the sys admin's preferences. |
I don't think we'll be changing the default of this from 0. Most other official images use 0, and it's easily overrideable in the runtime or in a base image. |
Opening for discussion from #306.
I had a similar argument, but @HazCod's argument was that those images keep the root mainly due to the existence of a package manager, which doesn't apply to Distroless. In any case, if we do this, not sure if nobody would be a good fit, considering its nature. (Also nobody's home would be set to /nonexistent), so we may need to add a proper new user? |
I'll add that we recommend avoiding running as root in our Best Practices for Operating Containers. My only argument against using |
I'd love to see us at a minimum publish cc @jonjohnsonjr Can you TAL? |
The disastrous python2 -> python3 migration may be our industry's greatest blunder. |
I second @mattmoor's statements. Specific use case for me is publishing knative images that don't take root privs. Currently it appears that |
FTR, now the images have a user and a group all named "nonroot".
|
This doesn't apply to the language builds yet, does it? |
@loosebazooka all the images have the |
Is there a plan to support a non-root user inside base?
The text was updated successfully, but these errors were encountered: