Engineering discovery: allow secure analyzer docker containers to run as a non-root user to support OpenShift
Problem to solve
OpenShift doesn't allow admin for containers (run as root user) but some of our containers currently do run as admin.
- bundler-audit
- gemnasium root
- gemnasium-maven
- gemnasium-python
- retire.js
(source: #197239 (comment 413034398))
Proposal
Discover what options do we have to stop using admin? What impact would these changes have?
The goal of this is to test ideas and propose a solution we can then implement.
Implementation Plan
- Test secure analyzers running as non-root user in OpenShift environment
- Test secure analyzers running as non-root user in automated offline testing environment
- Merge and release secure analyzer Docker containers running as non-root user
- Document limitations of secure analyzers which run as non-root user
- Add Guidelines for Docker images to Secure Technical Documentation
Further details
Documentation
Availability & Testing
Once we have a proposal we can hopefully test it with @willmeek and then make a follow up issue or epic to implement.
What does success look like, and how can we measure that?
The discovery conclusion provides one or multiple ways we can later implement to execute our Secure analyzers in an openshift environment.
What is the type of buyer?
Is this a cross-stage feature?
As other secure (and other engineering) groups are impacted may want to chat in the main slack to find anyone else working this issue.
Links / references
Edited by Adam Cohen