skonto commented on a change in pull request #23017: [SPARK-26015][K8S] Set a default UID for Spark on K8S Images URL: https://github.com/apache/spark/pull/23017#discussion_r241207483
########## File path: docs/running-on-kubernetes.md ########## @@ -19,9 +19,9 @@ Please see [Spark Security](security.html) and the specific advice below before ## User Identity -Images built from the project provided Dockerfiles do not contain any [`USER`](https://docs.docker.com/engine/reference/builder/#user) directives. This means that the resulting images will be running the Spark processes as `root` inside the container. On unsecured clusters this may provide an attack vector for privilege escalation and container breakout. Therefore security conscious deployments should consider providing custom images with `USER` directives specifying an unprivileged UID and GID. +Images built from the project provided Dockerfiles contain a default [`USER`](https://docs.docker.com/engine/reference/builder/#user) directive with a default UID of `185`. This means that the resulting images will be running the Spark processes as this UID inside the container. Security conscious deployments should consider providing custom images with `USER` directives specifying their desired unprivileged UID and GID. The resulting UID should include the root group in its supplementary groups in order to be able to run the Spark executables. Users building their own images with the provided `docker-image-tool.sh` script can use the `-u <uid>` option to specify the desired UID. Review comment: @rvesse I think using [GID 0](https://unix.stackexchange.com/questions/44077/what-does-it-mean-to-be-in-group-0) is safe. , I am using that on [Openshift](https://github.com/RHsyseng/container-rhel-examples/blob/369971bbbb8212fe9ff8f0e59dab7149ad281ee1/starter-arbitrary-uid/Dockerfile#L41-L46). ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
