Running image as non root on Kubernetes failed. #84
Description
Hi
In our company, we require to run all k8s pods as NonRootUser, Due to this I tried to run the DFM container as NonRoot using Kubernetes spec.securityContext.runAsNonRoot.
The issue is that DotNet container images don't have a dedicated user for the applications like Node containers have. I found the following article which explains how to configure DotNet containers to run the applications as a NonRoot user.
Hardening an ASP.NET container running on Kubernetes
I updated the Dockerfile given in the durablefunctionsmonitor.dotnetbackend to look like the following:
FROM mcr.microsoft.com/dotnet/sdk:6.0 AS installer-env
# Build requires 3.1 SDK
COPY --from=mcr.microsoft.com/dotnet/core/sdk:3.1 /usr/share/dotnet /usr/share/dotnet
COPY . /src/dotnet-function-app
RUN cd /src/dotnet-function-app && \
mkdir -p /home/site/wwwroot && \
dotnet publish *.csproj --output /home/site/wwwroot
FROM mcr.microsoft.com/azure-functions/dotnet:4
#Create a Linux user in the container called DFM with UID and GID of 1000
RUN groupadd -r dfm --gid 1000 && \
useradd --uid 1000 -r --gid 1000 "dfm"
# Configure the container to automatically start with the DFM user by default
USER 1000:1000
EXPOSE 8080
# Configure the ASP HTTP web site to listen on port 8080
# This is due to the fact that non-root users aren't allow to bind to ports 1024 and below
ENV ASPNETCORE_URLS=http://*:8080
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
AzureFunctionsJobHost__Logging__Console__IsEnabled=true
# Configure the copied files to be owned by the DFM user
COPY --chown=dfm:dfm --from=installer-env ["/home/site/wwwroot", "/home/site/wwwroot"]
I updated the DFM deployment manifest with the following settings and change the image to point to our private continer registry.
securityContext:
runAsNonRoot: true
This solved my issues.