Change Details

To ensure images are not running as root in kubernetes clusters we need the images to have numeric UIDs rather then user names set in the "USER" instructions (via Dockerfile). We need to check and potentially rebuild all production-images that are running in our cluster (snapshot as of 2021-02-09): [ ] coredns:1.5.2-1 (currently binds to port 53, needs root and is running in kube-system) [ ] envoy-future:1.16.0 [ ] envoy:1.15.1-2 [x] eventrouter:0.3.0-4 [ ] fluent-bit:1.5.3-0 (needs deploy) [ ] kube-policy-controller:latest (no need to update that, need to check newer calico version containers, though) [ ] nutcracker:latest [ ] prometheus-statsd-exporter:0.0.5 [ ] prometheus-statsd-exporter:0.0.7 [ ] ratelimit:1.5.1 (needs deploy) [x] tiller:2.16.7-wmf1 What kubernetes basically does for validation is: ``` docker inspect $IMAGE_ID | jq '.[].Config.User' | { read u; echo $u; if ! [[ "$u" =~ ^[0-9]+(:[0-9]+)?$ ]]; then echo "Nono"; fi; } ```

To ensure images are not running as root in kubernetes clusters we need the images to have numeric UIDs rather then user names set in the "USER" instructions (via Dockerfile). We need to check and potentially rebuild all production-images that are running in our cluster (snapshot as of 2021-02-09): [ ] coredns:1.5.2-1 (currently binds to port 53, needs root and is running in kube-system) [ ] kube-policy-controller:latest (no need to update that, need to check newer calico version containers, though) [x] eventrouter:0.3.0-4 [x] tiller:2.16.7-wmf1 [ ] nutcracker:latest [ ] prometheus-statsd-exporter:0.0.5 [ ] prometheus-statsd-exporter:0.0.7 [ ] envoy:1.15.1-2 The following ones are only used in api-gateway, so they should be merged and deployed together in https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/664523 [ ] envoy-future:1.16.0 [ ] ratelimit:1.5.1 (needs deploy) [ ] fluent-bit:1.5.3-0 (needs deploy) What kubernetes basically does for validation is: ``` docker inspect $IMAGE_ID | jq '.[].Config.User' | { read u; echo $u; if ! [[ "$u" =~ ^[0-9]+(:[0-9]+)?$ ]]; then echo "Nono"; fi; } ```

To ensure images are not running as root in kubernetes clusters we need the images to have numeric UIDs rather then user names set in the "USER" instructions (via Dockerfile). We need to check and potentially rebuild all production-images that are running in our cluster (snapshot as of 2021-02-09): [ ] coredns:1.5.2-1 (currently binds to port 53, needs root and is running in kube-system) [ ] envoy-future:1.16.0 [ ] envoy:1.15.1-2kube-policy-controller:latest (no need to update that, need to check newer calico version containers, though) [x] eventrouter:0.3.0-4 [ ] fluent-bit:1.5.3-0 (needs deploy) [ ] kube-policy-controller:latest (no need to update that, need to check newer calico version containers, though)x] tiller:2.16.7-wmf1 [ ] nutcracker:latest [ ] prometheus-statsd-exporter:0.0.5 [ ] prometheus-statsd-exporter:0.0.7 [ ] envoy:1.15.1-2 The following ones are only used in api-gateway, so they should be merged and deployed together in https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/664523 [ ] envoy-future:1.16.0 [ ] ratelimit:1.5.1 (needs deploy) [x] tiller:2.16.7-wmf1 ] fluent-bit:1.5.3-0 (needs deploy) What kubernetes basically does for validation is: ``` docker inspect $IMAGE_ID | jq '.[].Config.User' | { read u; echo $u; if ! [[ "$u" =~ ^[0-9]+(:[0-9]+)?$ ]]; then echo "Nono"; fi; } ```