helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon newrelic

Modify Synthetics Job Manager Containers to Support Non-Root Execution

Open asafarian opened this issue 10 months ago • 3 comments

Description

We have observed that the New Relic Synthetics job manager images are configured to run as the root user. This configuration leads to compatibility issues in environments like OpenShift, which, by default, restricts running containers as root to enhance security. This restriction requires the application to run with privileged permissions, which is not ideal from a security standpoint.

Acceptance Criteria

  • Modify Docker images to allow running as non-root user.
  • Ensure that the modified images maintain functionality when deployed in both Kubernetes and OpenShift environments.
  • Document the changes and update any user guides or deployment instructions accordingly.

Describe Alternatives

We have considered using OpenShift's anyuid Security Context Constraint to allow the containers to run as root; however, this approach is not recommended due to security risks. An alternative could be to refactor the application to avoid the necessity of root privileges entirely, which would comply with best practices for container security.

Dependencies

This change will affect the deployment and operational teams responsible for managing the New Relic Synthetics job manager images.

Additional context

The use of non-root containers is a common practice to enhance security in containerized environments. Adapting our images to support running as a non-root user aligns with industry security standards and best practices, thus improving our compatibility with more secure and restricted environments like OpenShift.

Estimates

Given the scope of testing and documentation updates required, this task is estimated to be a Medium (M) effort, corresponding to 3-5 days of work.

asafarian avatar Apr 26 '24 10:04 asafarian

https://new-relic.atlassian.net/browse/NR-262792

workato-integration[bot] avatar Apr 26 '24 10:04 workato-integration[bot]

Any news here ?

asafarian avatar May 21 '24 07:05 asafarian

Hi @asafarian I'm in the Solutions Consulting team at New Relic. Thanks for your patience while our Product team reviews this. Would you be open to a quick discussion about this request? If so, please reach out to me at: nlidbury [at] newrelic [dot] com

nedl86 avatar Jul 03 '24 00:07 nedl86