Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

HAProxy container not setting explicit USER id, breaks runAsNonRoot security policy by default

Description

When a pod security policy is applied which requires the container to run as a non-root user, it fails to apply with this error:

This is because the container image has, unlike the ProxySQL one, this in its specification:

instead of

 

I managed to work around this issue by setting the haproxy.podSecurityContext.runAsUser key to this user id on the CR, but it would be nice if this works by default.

Environment

None

Smart Checklist

Activity

Show:

Conrad Hanson November 9, 2021 at 3:28 PM

I believe this issue might be incomplete due to confusion around which branch in https://github.com/percona/percona-docker being the source branch (main vs master, both exist but main is the default). 
More specifically, when inspecting the merged pull requests, two of the three are merged to main, but the first (#488 for changing haproxy dockerfile user to numeric id) was merged to master.
When inspecting the latest version of haproxy for pxco, [1.10.0-haproxy dockerfile in docker hub|https://hub.docker.com/layers/percona/percona-xtradb-cluster-operator/1.10.0-haproxy/images/sha256-22a390685c750eb2c2ec2dd24276b2785819e3b5caef42222d517c41ff8bef81?context=explore,] it still shows the user as `mysql`. 
Should #488 have been merged to main instead?

Happy to open an MR for this.

Alex Miroshnychenko October 12, 2021 at 2:04 PM

Hello ,
Thank you for reporting this. We have updated our haproxy container to use 1001 as USER, also we have updated our percona-xtradb-cluster-operator image, so now USER is set to 2 instead of nobody.

Henno Schooljan May 26, 2021 at 6:13 PM

The percona/percona-xtradb-cluster-operator:1.8.0 image (which gets pulled as part of the PXC init process) has the name issue with user nobody. This time it is not clear which user id I need to use.

 

Done

Details

Assignee

Reporter

Time tracking

5h logged

Components

Fix versions

Priority

Smart Checklist

Created May 26, 2021 at 5:32 PM
Updated March 5, 2024 at 5:51 PM
Resolved November 24, 2021 at 4:24 PM