kpack icon indicating copy to clipboard operation
kpack copied to clipboard

Published 20 hours ago verified publisher icon buildpacks-community

SGID on the /layers directory.

Open sfzylad opened this issue 2 years ago • 2 comments

The images created with the kpack all have the SGID set on the /layers directory:

drwxrwsrwx 1 root cnb 4096 Jan 1 1980 /layers/

However there's no need to do that because executables inside of the image are running as the cnb user anyway:

cnb          1  0.3  0.5 1335836 44612 ?       Ssl  Aug17   9:45 /layers/tanzu-buildpacks_go-build/targets/bin/bob --health-probe-bind-address=:8081 --metrics-bind-address=127.0.0.1:8080 --leader-elect

Is there any specific reason for the SGID? If not can it be dropped?

sfzylad avatar Aug 24 '22 11:08 sfzylad

The current issue is that k8s will set the SGID on volumes when the fsGroup field is set on a container - which is set at the pod securityContext level in build pods. The lifecycle will not modify the permissions and will publish the SGID bit to the registry.

Possible mitigations include updating the cnb lifecycle to remove this permission.

tylerphelan avatar Aug 30 '22 14:08 tylerphelan

posed the question in lifecycle: https://github.com/buildpacks/lifecycle/issues/934

tylerphelan avatar Oct 19 '22 20:10 tylerphelan