search

Initial Unsafe K8s Deployment

This deploys the demo application to Kubernetes using a standard kubernetes yaml file running the container using root user.

For details on the demo application see hello spring boot application.

hashtag
Deploy the application

The corresponding container image is pulled from andifalk/hello-rootarrow-up-right docker hub repository.

The application is deployed using the following deployment yaml file k8s/deploy.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: hello-root
  name: hello-root
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-root
  template:
    metadata:
      labels:
        app: hello-root
    spec:
      containers:
      - image: andifalk/hello-root:latest
        name: hello-root
        readinessProbe:
          httpGet:
            path: /actuator/health
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5
      restartPolicy: Always

Just deploy it by typing kubectl apply -f ./deploy.yaml in directory k8s.

hashtag
Static analysis of Deployment

Please note that the container is running as root by default and kubernetes also does not prohibit this by default!

Now you can prove that this container does run with root by using a tool like kubeauditarrow-up-right.

This should result in an output similar to this:

An alternative tool for this is popeye, just run it against your current cluster:

It is also possible to check directly your deployment yaml file:

This will show an output similar to this one:

You may also check that the user of the running container is not root using (check your pod name before):

Note: If you have deployed the JIB container image then the base image is a distroless image meaning that no shell and no whoami command is inside the container. Therefore, you cannot use the command above.

hashtag
Next

Next: K8s Pod Security Context

PreviousRootless Container with PaketoNextSafe K8s Deployment with Pod Security Context

Last updated