grouper-users - Re: [grouper-users] Openshift Deployment
Subject: Grouper Users - Open Discussion List
List archive
- From: Oliver Trieu <>
- To: Darren Boss <>, Scott Koranda <>
- Cc:
- Subject: Re: [grouper-users] Openshift Deployment
- Date: Mon, 27 Apr 2020 12:10:46 +0200
Dear Darren,
could you elaborate on what kind or problems you expect with runAsUser in a Pod?
I am currently running our test instance of grouper 2.4 on Openshift and so far i did not encounter issue.
Is there an easy way to specifically test for this?
Kind Regards
Oliver
On 22.04.20 16:31, Darren Boss wrote:
That may not be good enough for the Openshift case but
since I haven't used Openshift I can't say for sure.
I'm not sure about dropping privileges. It seems like a
step in the right direction but I'm not sure what happens when
combined with specifying security contexts in the pod
(runAsUser). I'd be willing to do a bit of digging or run some
tests on a test cluster if that was of interest.
I'm still ramping up my knowledge on the security side of
running services under Kubernetes.
On Wed, Apr 22, 2020 at 9:50
AM Scott Koranda <>
wrote:
Hi,Just a clarifying question...
Would you find it acceptable for the container to start running as root
and then drop privileges later to a non-privileged user, or is your
requirement that the container never need any root privileges at all?
Asking for a friend...
Thanks,
Scott K
> Even if not running under Openshift and just upstream Kubernetes, please
> retool the Docker images to not run as root (this applies to the other TAP
> images as well).
>
> Containers are not vms and unless you are running with uid
> translation/mapping in place, the grouper process would be running at root
> on the system as well. From what I've read, running within a user namespace
> and remapping uids can impart a performance penalty.
>
> On Wed, Apr 22, 2020 at 3:22 AM Oliver Trieu <>
> wrote:
>
> > Dear Grouper Team,
> >
> >
> > I think its great that Grouper is now running on containers.
> >
> > This is definitely a step in the right direction.
> >
> > I was wondering if you could prepare your Container Image to run on the
> > Openshift Platform.
> >
> > The issue here is that the current Image wants to run as the root user.
> >
> > It would be great if you could run it as an unpriviledged user.
> >
> >
> > Is it possible to obtaiin the Dockerfiles you used to create the images?
> >
> >
> > Kind Regards
> >
> >
> > Oliver
> >
> >
> >
> >
> >
>
> --
> Darren Boss
> Senior Programmer/Analyst
> Programmeur-analyste principal
>
--
Darren Boss
Senior Programmer/Analyst
Programmeur-analyste principal
Senior Programmer/Analyst
Programmeur-analyste principal
- [grouper-users] Openshift Deployment, Oliver Trieu, 04/22/2020
- Re: [grouper-users] Openshift Deployment, Darren Boss, 04/22/2020
- Re: [grouper-users] Openshift Deployment, Scott Koranda, 04/22/2020
- Re: [grouper-users] Openshift Deployment, Darren Boss, 04/22/2020
- Re: [grouper-users] Openshift Deployment, Oliver Trieu, 04/27/2020
- Re: [grouper-users] Openshift Deployment, Darren Boss, 04/27/2020
- Re: [grouper-users] Openshift Deployment, Oliver Trieu, 04/27/2020
- Re: [grouper-users] Openshift Deployment, Darren Boss, 04/22/2020
- Re: [grouper-users] Openshift Deployment, Scott Koranda, 04/22/2020
- Re: [grouper-users] Openshift Deployment, Darren Boss, 04/22/2020
Archive powered by MHonArc 2.6.19.