I've built a docker image based on httpd:2.4. In my k8s deployment I've defined the following securityContext:
securityContext:
privileged: false
runAsNonRoot: true
runAsUser: 431
allowPrivilegeEscalation: falseWhen I apply the deployment without this securityContext everything works fine, the server starts up correctly, etc. However when I add in the above securityContext my pod has the status CrashLoopBackOff and I get the following from $ kubectl logs...
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logsFrom searching around online I've found that this is because apache needs to be root in order to run, so running as non-root will fail.
I've also found that httpd.conf has the following
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User daemon
Group daemonWhich seems to suggest that if I don't use runAsNonRoot or runAsUser in securityContext it should automatically switch to whichever user I specify in httpd.conf. In my case I created a user/group swuser and edited httpd.conf accordingly. However when I run the image locally with docker run -p 5000:80 my-registry/my-image:1.0.12-alpha and then run docker exec -it my-container whoami it prints root.
So my question is, what can I do to run my container safely as non-root in k8s (and be sure it is non-root)
Run the apache on a port greater than 1024.
Ports below 1024 are privileged ports only available to the root user.
As you will have some ingress load balancer before that, it shouldn't matter :-)