Github user vanzin commented on a diff in the pull request:
https://github.com/apache/spark/pull/23017#discussion_r236456515
--- Diff: docs/running-on-kubernetes.md ---
@@ -19,9 +19,9 @@ Please see [Spark Security](security.html) and the
specific advice below before
## User Identity
-Images built from the project provided Dockerfiles do not contain any
[`USER`](https://docs.docker.com/engine/reference/builder/#user) directives.
This means that the resulting images will be running the Spark processes as
`root` inside the container. On unsecured clusters this may provide an attack
vector for privilege escalation and container breakout. Therefore security
conscious deployments should consider providing custom images with `USER`
directives specifying an unprivileged UID and GID.
+Images built from the project provided Dockerfiles contain a default
[`USER`](https://docs.docker.com/engine/reference/builder/#user) directive with
a default UID of `185`. This means that the resulting images will be running
the Spark processes as this UID inside the container. Security conscious
deployments should consider providing custom images with `USER` directives
specifying their desired unprivileged UID and GID. The resulting UID should
include the root group in its supplementary groups in order to be able to run
the Spark executables. Users building their own images with the provided
`docker-image-tool.sh` script can use the `-u <uid>` option to specify the
desired UID.
--- End diff --
Given the docs you quoted before, you can't override the container's GID,
right?
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org
