Docker image build with a non-root user account

[sosadtsia]

Overview

Our container scanning tool trigger HIGH severity compliance alert after security scan with of the image aquasec/kube-bench:latest.

How did you run kube-bench?

N/A

What happened?

Description of the alert: '(CIS_Docker_v1.2.0 - 4.1) Image should be created with a non-root user. It is a good practice to run the container as a non-root user, if possible.'

What did you expect to happen:

Security scan completion without alerts.

Environment kind v0.11.0 go1.16.4 linux/amd64

[What is your version of kube-bench? (run kube-bench version)] v0.6.3

[What is your version of Kubernetes? (run kubectl version or oc version on OpenShift.)] Client Version: "v1.19.11" Server Version: "v1.21.1"

Running processes N/A

Configuration files N/A

Anything else you would like to add: We are willing to open a pull request to fix this issue. We are suggesting to update Dockerfile with the following:

RUN adduser -S -s /bin/sh -G root -u 1001 kube-bench
USER kube-bench

[yoavrotems]

I think we had this issue before and we need to run this as root because else some test couldn't be checked. The quickest way to test it will be to just run it with root and without and compare results. Could you do it @sosadtsia ? ( If not I will get to it in a few days )

[sosadtsia]

Hi @yoavrotems . I've tested a build of two images with and without root user. After comparing the output results of the kube-bench tests for both scenarios and I wasn't able find any discrepancies. You can find the output for both tests here

[yoavrotems]

Hey @sosadtsia Thanks for running and comparing it, in the link you attached I could only see one case results, could you please add the second one?

[sosadtsia]

Hey @yoavrotems . You can find the second one here