Modify containers according to OpenShift best practices for enhanced security
Summary
Deployment on OpenShift barely possible because the current recommendation (adding anyuid for container execution) is a security problem.
Current behavior
Anyuid needs to be set to service account or even worse to the openshift-cluster
Expected behavior
Containers are built in a more secure way using the RedHat best practices for building containers that can run on any (also secured) Kubernetes/OpenShift cluster.
The image build guidelines are documented here: https://docs.openshift.com/container-platform/4.4/openshift_images/create-images.html#images-create-guide-openshift_create-images
Especially the part of supporting arbitrary used IDs is essential solving a huge part of the problem running gitlab on OpenShift.
Key Points
Summarizing keys points of post on RH Developer Blog and Creating Images (from OpenShift 4.5 docs)
Containers:
- UID will be random, but a
USER
entry should be present in the Dockerfile. - GID will always be 0
- Application files should be
chgrp -R 0 /srv/gitlab/...
. This is particularly important for writeable files/paths.- Consider setting all
chown
calls tochown -R UID:0 ...
- Consider setting all
- Group permissions are what matter, so the "easy" way is copy the user permissions to group (
chmod -R g=u
)- The effective user mask (umask) of an applications write behaviors is very important.
Charts:
- Don't render
securityContext.runAs{User,Group}
- All containers in OpenShift use the same UID, so operating as
root
aninitContainer
is not acceptable.