To ensure images are not running as root in kubernetes clusters we need the images to have numeric UIDs rather then user names set in the "USER" instructions (via Dockerfile).
We need to check and potentially rebuild all production-images that are running in our cluster (snapshot as of 2021-02-09):
- coredns:1.5.2-1 (currently binds to port 53, needs root and is running in kube-system)
- eventrouter:0.3.0-4
- tiller:2.16.7-wmf1
- nutcracker:latest
- prometheus-statsd-exporter:0.0.5
- prometheus-statsd-exporter:0.0.7
- envoy:1.15.1-2
The following ones are only used in api-gateway, so they should be merged and deployed together in https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/664523
- envoy-future:1.16.0
- ratelimit:1.5.1
- fluent-bit:1.5.3-0
What kubernetes basically does for validation is:
docker inspect $IMAGE_ID | jq '.[].Config.User' | { read u; echo $u; if ! [[ "$u" =~ ^[0-9]+(:[0-9]+)?$ ]]; then echo "Nono"; fi; }