Allow atlantis docker image to run as arbitrary user #345
Comments
|
Hi Jocelyn, Would this be a breaking change for anyone using the current Docker image that have this set in their kube config: https://github.com/runatlantis/atlantis/blob/master/helm/atlantis/templates/statefulset.yaml#L23 |
|
Hi @lkysow : I think this would depend on the k8s cluster. If the cluster does not enforce a special uid at runtime then the user permissions should still be sufficient. However if they enforce it like Openshift does by default. They would indeed run into a problem. My idea with the the change I propose in #346 is that since k8s and Openshift by default run the container with a gid=0 and mounts volume with a gid=0 to use this one for the newly created "atlantis" user. As running with the gid 0 is not a security vulnerability as it does not have special privileges like uid=0 has. My change would probably even let us remove the "fsGroup: 1000" from the stateful set template. |
|
I need to test if this will break existing k8s deployments. |
In OpenShift containers are run as a random user id. In this case, we don't need to use gosu. Fixes #345
|
Closed by #346 |
Hey,
I was wondering if making atlantis run as an arbitrary user is something the project is interested in. For example on Openshift for security reasons, by default the image will be started with a randomly assigned uid which is never root.
I would be glad to try and create a pull request so that we could use the image with any UID. For example making the atlantis group and its folder having the gid 0 and then making the group have the same permissions as the user. We could then in the docker-entrypoint.sh only run the gosu command if the current uid is 0 otherwise we leave it as it is.
The text was updated successfully, but these errors were encountered: