Keda Non-compliant for pods and containers should only run using approved user and group Ids

[Sac-BRONGA]

Report

We have enabled Azure Policy for "Kubernetes cluster pods and containers should only run with approved user and group IDs." but we received all the pods in all the containers are Non-Compliant. even we provide all the required parameters.

Expected Behavior

The Keda Pods in the Cluster need to be Non Compliant. The Keda should run only in the provided user and group ids.

Actual Behavior

The Keda should run the provided User and Group Ids. It need to search for the User and Group Ids.

Steps to Reproduce the Problem

1. Create Policy Kubernetes cluster pods and containers should only run with approved user and group IDs in the Azure Policies.
2. Deploy the AKS Cluster and Pod with Keda Image
3. and check whether the policy is Non Compliant or Compliant.

Logs from KEDA operator

example

KEDA Version

2.2.0

Kubernetes Version

1.21

Platform

Microsoft Azure

Scaler Details

No response

Anything else?

No response

[Sac-BRONGA]

Hi Ferrero, We are deploying the Container from the below repository using helm chat with version 2.2.2 repository : ghcr.io/kedacore/keda-metrics-apiserver Thanks, Santosh C.

[JorTurFer]

Yes, sorry.
I deleted my comment because I found that I was doing it wrong. Now I can reproduce de problem.
Thanks

[JorTurFer]

One question (I don't have experience with this). Are valid userid/groupsid needed to be defined or there is a built-in predefined group?
Looking the documentation I can't get this part. I mean, you can define values inside this group, but defaul values are [] in both cases.

[Sac-BRONGA]

We have provided the group ids as. "ranges": [ { "min": 1, "max": 65535 } ] Thanks, Santosh C.

[Sac-BRONGA]

@JorTurFer : We are using the below range of values for user and group IDs.

"ranges": [
{
"min": 1,
"max": 65535
}
]

Also, can i have the resolution ASAP.

[JorTurFer]

Hi
@Sac-BRONGA , I'm doing some tests because reviewing Dockerfiles, both (operator and metric-server) use gcr.io/distroless/static:nonroot as base image and both create non-root user. I will update the thread when I have news

[JorTurFer]

I'm checking on my own AKS.
KEDA is using the userid 65532 for the adapter (metric-server) and the operator

Honestly, I don't have any experience with Azure Policies, IDK if it needs any extra configuration or something like that. The help message says:
The 'RunAsUser' rule that containers are allowed to run with. MustRunAs requires at least one range to be specified. MustRunAsNonRoot requires the pod be submitted with non-zero runAsUser or have USER directive defined (using a numeric UID) in the image. RunAsAny allows any runAsUser to be specified

And both images has the directive USER in the Dockerfile
https://github.com/kedacore/keda/blob/main/Dockerfile.adapter#L39
https://github.com/kedacore/keda/blob/main/Dockerfile#L36

[JorTurFer]

Hi @Sac-BRONGA ,
I have it working on my cluster

I have edited the parameters and these are mine:

Basically I added the range to all (userids and gropuids). I know that in theory userids and groupids are not important because the dropdown selections are MustRunAsNonRoot and RunAsAny but... I added in any case to be sure xD

[Sac-BRONGA]

Hi @jorge Turrado ***@***.***>, We are using Run as User Rule : MustRunAs.

[JorTurFer]

okey, let me update the policy and I will comment in 1 hour with the result :)

[Sac-BRONGA]

Also, Could you please conform you using the below Image

ghcr.io/kedacore/keda-metrics-apiserver : 2.2.2

[JorTurFer]

Also, Could you please conform you using the below Image

ghcr.io/kedacore/keda-metrics-apiserver : 2.2.2

I'm using main tag, but I can use as well 2.2.2 to check if it works there.

[JorTurFer]

The tag 2.2.2 doesn't exist:

docker pull ghcr.io/kedacore/keda-metrics-apiserver:2.2.2
Error response from daemon: manifest unknown

[Sac-BRONGA]

OK Could you please check whether, this parameter and conform. with the Tag 2.2.0
Run as User Rule : MustRunAs.

[JorTurFer]

OK Could you please check whether, this parameter and conform. with the Tag 2.2.0
Run as User Rule : MustRunAs.

Sure, I'm updating it right now. In 1 hour I will update the thread with the news

[JorTurFer]

Hi @Sac-BRONGA ,
You are right, I can reproduce the error with tag 2.2.0, let me check with 2.4.0

[tomkerkhove]

Do you install through Helm or another approach @Sac-BRONGA?

[Sac-BRONGA]

we install with Helm

[JorTurFer]

we install with Helm

Did you try setting the securityContext inside helm values?

I'm trying it right now to check if it works with this values:

securityContext:
  runAsUser: 1000
  runAsNonRoot: true

[JorTurFer]

It works @Sac-BRONGA ,
now it's compliant again (thanks @tomkerkhove for the idea :) )

[Sac-BRONGA]

@JorTurFer We are using the same thing which is present in the link given below. but still we are getting Non-Compliant.

[JorTurFer]

Hi @Sac-BRONGA
Could you try setting this?:

securityContext:
  runAsUser: 1000
  runAsNonRoot: true

As I said here, this change should be enough to make it compliant
In your image, securityContext is empty ({}) and it should not be empty. Please, remove the {} and uncomment the 2 lines those I pasted here.

Let me know any news :)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

[tomkerkhove]

Any update on this @Sac-BRONGA ?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed due to inactivity.