jib: Cannot run image running with container generated by jib as non-root in k8s

Description of the issue: I cannot run the image generated via jib-maven-plugin as nonroot. When attempting to set the securitycontext runasuser as a custom one, it errors as the app cannot find the main class. Only root seems to work, but this is a security issue and I’d rather run the container as a unpriviledged user.

Expected behavior: set the security context in the k8s deployment as uid 10000 (just an example), and the app thats generated has /app folders owned or at least executable by this uid.

Steps to reproduce: create a k8s deployment, set securitycontext: runasUser: to custom uid. use a custom jdk image and use that USER uid in the from block of the maven-jib-plugin section in the pom.xml

Environment:

jdk image utilized by pom to generate the new image for the java app:

FROM openjdk:8-jdk-alpine

RUN set -x && \
	sed -i -e "s/\#networkaddress.cache.ttl=-1/networkaddress.cache.ttl=300/g" -e "s/securerandom.source=file\:\/dev\/random/securerandom.source=file\:\/dev\/\.\/urandom/g" /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/java.security

ENV JAVA_OPTS="-XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap"

RUN addgroup -g 10000 runner && \
    adduser -G runner -D -H -u 10000 runner

USER 10000

jib-maven-plugin Configuration:

<plugin>
	        <groupId>com.google.cloud.tools</groupId>
	        <artifactId>jib-maven-plugin</artifactId>
	        <version>0.9.7</version>
	        <configuration>
	          <from>
	          	<image>XXXXXXX.dkr.ecr.us-east-1.amazonaws.com/foo:custom-jdk</image>
	          </from>
	          <to>
	            <image>XXXXXXX.dkr.ecr.us-east-1.amazonaws.com/foo:java-app</image>
	            <credHelper>ecr-login</credHelper>
	          </to>
	          <container>
	          	<ports>
	          		<port>8080</port>
	          	</ports>
	          </container>
	          <imageFormat>Docker</imageFormat>
	        </configuration>
	      </plugin>

Log output: Error: Could not find or load main class com.test.hello.HelloApplication

Additional Information: the folders that are generated in /app are owned by root. resources is available to all users, but the other 2 are root write and executable only.

k8s deployment container:

- name: hello-app
        imagePullPolicy: Always
        securityContext:
          runAsUser: 10000
          allowPrivilegeEscalation: false
        image: XXXXXXX.dkr.ecr.us-east-1.amazonaws.com/foo:java-app

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 34 (22 by maintainers)

Most upvoted comments

@JamesWojewoda @GuustavoPaiva We have released version 0.9.10!

+1
coollog on Aug 31, 2018

@coollog I had the same problem as @JamesWojewoda and can confirm that after the recent changes, the image was successfully loaded and the permissions was right as you can see:

$ ls -lah app total 16K drwxr-xr-x. 5 root root 50 Jan 1 1970 . drwxr-xr-x. 1 root root 57 Aug 29 13:58 … drwxr-xr-x. 3 root root 16 Jan 1 1970 classes drwxr-xr-x. 2 root root 12K Aug 29 13:58 libs drwxr-xr-x. 3 root root 50 Aug 29 13:58 resources

Much appreciated those changes 👍

+1
paivagustavo on Aug 29, 2018

@coollog This works great. Thanks for your help!

+1
JamesWojewoda on Aug 29, 2018

@coollog Unrelated, but I’m curious why resources folder has a different permission set (777).

+1
chanseokoh on Aug 2, 2018
Read more comments on GitHub
← jib: Cannot pull nginx. Unauthorized for registry-1.docker.io/library/nginx: 401 Unauthorized
jib: Can't use Jib with Quarkus →