Gitab pod running with root priviledge - Security concern
Summary
We see all the component PODs in Gitlab , are running with root privildege.
Need a new image which runs with non-root priviledge .
Steps to reproduce
Deploy the helm chart and use the latest chart and check the kyverno policies for the cluster.
Configuration used
Kyverno Policy report.
- message: 'validation error: Root filesystem must be read-only. Exception made forReflector. rule validate-readOnlyRootFilesystem failed at path /spec/containers/0/securityContext/readOnlyRootFilesystem/'policy: require-ro-rootfsresult: failrule: validate-readOnlyRootFilesystemscored: truesource: kyvernotimestamp:nanos: 0seconds: 1707670227- message: 'validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRootmust be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRootmust be set to `true`. rule run-as-non-root[0] failed at path /spec/securityContext/runAsNonRoot/rule run-as-non-root[1] failed at path /spec/initContainers/0/securityContext/'policy: require-run-as-nonrootresult: failrule: run-as-non-rootscored: truesource: kyvernotimestamp:nanos: 0seconds: 1707670227
Current behavior
Pods running with root priviledge.
Expected behavior
Pods need to be executed with non-root priviledge.
Versions
- Chart: 7.8.1
- Platform:
- Cloud: GKE
- Self-hosted: Gardener
- Kubernetes: (
kubectl version
)- Client: v1.28.4
- Server: v1.27.8
- Helm: (
helm version
)- Client: v3.13.1
Relevant logs
- message: '
validation error: Root filesystem must be read-only. Exception made forReflector. rule validate-readOnlyRootFilesystem failed at path /spec/containers/0/securityContext/readOnlyRootFilesystem/'policy: require-ro-rootfs
result: fail
rule: validate-readOnlyRootFilesystem
scored: true
source: kyverno
timestamp:
nanos: 0
seconds: 1707670227
- message: 'validation error: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`. rule run-as-non-root[0] failed at path /spec/securityContext/runAsNonRoot/rule run-as-non-root[1] failed at path /spec/initContainers/0/securityContext/'
policy: require-run-as-nonroot
result: fail
rule: run-as-non-root
scored: true
source: kyverno
timestamp:
nanos: 0
seconds: 1707670227
Edited by Jason Plum