📦
secure-kubernetes-development
  • README
  • Setup
    • Requirements and Setup
      • Setup Google GKE
  • Linux Security Basics
    • Linux & Container Basics
  • Application Security
    • Sample Spring Boot Application
  • Container Security
    • Root Container
    • Rootless Container
    • Rootless Container with JIB
    • Rootless Container with Paketo
  • Kubernetes Security
    • Initial Unsafe K8s Deployment
    • Safe K8s Deployment with Pod Security Context
    • Safe K8s Deployment with Pod Security Admission
    • Safe K8s Deployment with Open Policy Agent
  • Further Resources
    • Kubernetes Authorization (RBAC)
    • Helpful Tools for Container & K8s Security
    • List of Further Resources
Powered by GitBook
On this page
  • Check image for Vulnerabilities
  • Next

Was this helpful?

  1. Container Security

Rootless Container

PreviousRoot ContainerNextRootless Container with JIB

Last updated 6 months ago

Was this helpful?

This demo builds an improved docker image from the demo application just using a standard Dockerfile. For details on the demo application see .

This time we configure a non-root user in the Dockerfile to build a container image that will run using without the root user.

FROM bellsoft/liberica-openjre-debian:17.0.5-8
COPY step3-hello-rootless-1.0.0-SNAPSHOT.jar app.jar
EXPOSE 8080
RUN addgroup --system --gid 1002 app && adduser --system --uid 1002 --gid 1002 appuser
USER 1002
ENTRYPOINT java -jar /app.jar

Regarding the group-id (gid) and user-id (uid) you should use one above '1000' to avoid using any system user. If you want to be really on the safe side you even leave out all local users (reserved numbers up to 10000) by choosing a number above '10000' (reserved for remote users).

You can prove that the container now does not run with root any more by using these commands:

docker container run --rm --detach --name hello-rootless \
-p 8080:8080 andifalk/hello-rootless:latest-arm64
docker exec hello-rootless whoami

This should return the following user information (it should not be root anymore)

appuser

To prevent any privilege escalation it is also best practice restricting this by the additional command option --security-opt=no-new-privileges for docker run:

docker container run --security-opt=no-new-privileges --rm --detach --name hello-rootless \
-p 8080:8080 andifalk/hello-rootless:latest-arm64

You should also be able to reach the dockerized application via .

Finally, stop the running container by using the following command:

docker stop hello-rootless

Check image for Vulnerabilities

Now we can check our image for vulnerabilities with high and critical severities using this command:

trivy clean --scan-cache
trivy image --severity HIGH,CRITICAL andifalk/hello-rootless:latest-arm64

Next

hello spring boot application
localhost:8080
Next: Rootless JIB Container