etcd-cluster-operator icon indicating copy to clipboard operation
etcd-cluster-operator copied to clipboard
verified publisher icon improbable-eng

Don't run restoreagent as root

Open JamesLaverack opened this issue 5 years ago • 2 comments

Currently the restoreagent executes as root in a pod. The etcd pod, which runs as root, expects the data directory to be owned by root:root. So the restore agent must be able to write to the PVC as root:root.

Ideally Kubernetes features such as fsGroup should be used to remove this requirement and run the restore agent as nonroot.

JamesLaverack avatar Jan 21 '20 16:01 JamesLaverack

We have the same issue when we try to run the operator - not only the restoreagent - as a non-root user, we can not set the security context (runAsUser,fsGroup) for the replicaSet.

I had a quick at the source code and seems like it's doable to implement it.

@JamesLaverack as you are part of improbable-eng Are there plans at improbable-eng to correct it? I also have the feeling that this project is abandoned (no replies to issues/PR requests)

ghost avatar Nov 03 '21 13:11 ghost

Hi @stafwag-idirect. To clarify, I'm not a member of Improbable but I am one of the authors of this operator. I can't speak to Improbable's ongoing intent. @adamhosier and @cheahjs might have more insight there.

We don't have any particular SLA on responding to comments and pull requests, but I can take a look at this when I get chance.

I agree that it should be pretty straightforward to implement though. :)

JamesLaverack avatar Nov 03 '21 23:11 JamesLaverack