policies icon indicating copy to clipboard operation
policies copied to clipboard

Published 20 hours ago verified publisher icon instrumenta

Error "is running as root" with "runAsNonRoot: true"

Open nlamirault opened this issue 4 years ago • 3 comments

I've got an error "oauth2-proxy in the Deployment oauth2-proxy is running as root" while i use :

runAsNonRoot: true
runAsUser: 2000

the yaml :

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy
  labels:
    app: oauth2-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oauth2-proxy
  template:
    metadata:
      labels:
        app: oauth2-proxy
    spec:
      containers:
      - args:
        - --http-address=0.0.0.0:4180
        - --config=/etc/oauth2-proxy/oauth2-proxy.toml
        - --upstream=file:///dev/null
        - --pass-host-header=true
        - --pass-user-headers=true
        - --set-xauthrequest=true
        - --pass-basic-auth=true
        image: quay.io/oauth2-proxy/oauth2-proxy:v6.1.1
        livenessProbe:
          httpGet:
            path: /ping
            port: http
        name: oauth2-proxy
        ports:
        - containerPort: 4180
          name: http
        readinessProbe:
          httpGet:
            path: /ping
            port: http
        resources:
          limits:
            cpu: 50m
            memory: 50Mi
          requests:
            cpu: 10m
            memory: 20Mi
        volumeMounts:
        - name: config
          mountPath: /etc/oauth2-proxy
          readOnly: true
      securityContext:
        fsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
      serviceAccountName: oauth2-proxy
      volumes:
      - name: config
        configMap:
          name: oauth2-proxy

❯ conftest test resources/identity/oauth2-proxy/base/deployment.yaml -p addons/policies/instrumenta/policy/
FAIL - resources/identity/oauth2-proxy/base/deployment.yaml - oauth2-proxy in the Deployment oauth2-proxy doesn't drop all capabilities
FAIL - resources/identity/oauth2-proxy/base/deployment.yaml - oauth2-proxy in the Deployment oauth2-proxy is not using a read only root filesystem
FAIL - resources/identity/oauth2-proxy/base/deployment.yaml - oauth2-proxy in the Deployment oauth2-proxy allows priviledge escalation
FAIL - resources/identity/oauth2-proxy/base/deployment.yaml - oauth2-proxy in the Deployment oauth2-proxy is running as root

30 tests, 26 passed, 0 warnings, 4 failures, 0 exceptions

nlamirault avatar Oct 01 '20 07:10 nlamirault

Isn't securityContext supposed to be indented a level more, i.e., on the same level as args? Will this change your results?

srenatus avatar Oct 01 '20 07:10 srenatus

@srenatus securityContext can be set at both the Pod and Container level. They map to PodSecurityContext and SecurityContext types respectively which have different options. In this case though, the policy is checking the security context of the container so it needs to be one level more indented.

jalseth avatar Oct 02 '20 00:10 jalseth

Yeah so this is asking for a policy change, then? So that the violation code cares for both places where this could be set?

srenatus avatar Oct 02 '20 11:10 srenatus