Hi Folks,
It is never a good idea to run things as root and that is true for containers as well. Openshift which is Redhat’s excellent Kubernetes distribution leverages its own version of Pod Security Policies called Security Context Constraints which will not even allow containers to run as root. Now of course there is away around that but I wanted to demonstrate the difference in a short post. If I just run a default nginx image in a namespace nginx it will run as root:
k run nginx --image=nginx -n nginx
Now lets exec into the pod and see who the user id that is running the processes:
k exec -n nginx nginx -it -- sh
Lets nuke that pod asap:
k delete po nginx -n nginx --force --grace-period 0
Now instead if we use the bitnami nginx image then by default it is more secure and runs as something else:
k run nginx --image=bitname/nginx -n nginx
Now when we exec in the pod and check we see something different:
k exec -n nginx nginx -it -- sh
Voila!
For helm charts you should be able to find information about what user it will leverage. Take for instance Mongodb:
We see that the bitnami mongodb helm chart also uses a non root user.
If we look at the description on github it clearly states that it will use by default user 1001:
https://github.com/bitnami/charts/tree/master/bitnami/mongodb/#installing-the-chart
if we do a quick search on user we get this:
