Does not install on clusters where running containers as root is not allowed

[mhulscher]

The keda http-add-on can not be installed and doesn't work in clusters where containers are forced to run as non-root.

It would be nice if we could configure each containers' securityContext in the helm-charts values.yaml.

Expected Behavior

Helm-chart should install and creating a HTTPScaledObject should successfully start components in target namespace.

Actual Behavior

All components fail to install because their container spec doesn't specify the UID and GID under which the containers will run. This results in events like so:

podinfo         0s          Warning   Failed                         pod/podinfo-interceptor-5d86f9bb84-zjzxk                           Error: container has runAsNonRoot and image has non-numeric user (nonroot), cannot verify user is non-root

I was able to get the http-controller-manager to start by adding the following securityContext to each container's spec:

    securityContext:
      runAsGroup: 65532
      runAsUser: 65532

Steps to Reproduce the Problem

Our PodSecurityPolicy looks like this, which forces all containers to run as non-root:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
    seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
  name: restricted
spec:
  allowPrivilegeEscalation: false
  allowedCapabilities:
  - NET_BIND_SERVICE
  fsGroup:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  requiredDropCapabilities:
  - ALL
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  volumes:
  - configMap
  - emptyDir
  - projected
  - secret
  - downwardAPI
  - persistentVolumeClaim

Specifications

• KEDA Version:
• KEDA HTTP Add-on Version:

❯ helm ls -n keda             
NAME       	NAMESPACE	REVISION	UPDATED                                 	STATUS  	CHART                  	APP VERSION
http-add-on	keda     	1       	2021-06-24 13:51:28.934724904 +0200 CEST	deployed	keda-add-ons-http-0.1.0	0.1.0      
keda       	keda     	1       	2021-06-24 11:21:00.927907258 +0200 CEST	deployed	keda-2.3.2             	2.3.0

• Platform & Version: EKS 1.19
• Kubernetes Version:

clientVersion:
  buildDate: "2021-06-16T12:59:11Z"
  compiler: gc
  gitCommit: 092fbfbf53427de67cac1e9fa54aaa09a28371d7
  gitTreeState: clean
  gitVersion: v1.21.2
  goVersion: go1.16.5
  major: "1"
  minor: "21"
  platform: linux/amd64
serverVersion:
  buildDate: "2021-03-10T21:32:29Z"
  compiler: gc
  gitCommit: 96780e1b30acbf0a52c38b6030d7853e575bcdf3
  gitTreeState: clean
  gitVersion: v1.19.8-eks-96780e
  goVersion: go1.15.8
  major: "1"
  minor: 19+
  platform: linux/amd64

[arschles]

Thanks @mhulscher - I'll take a look at this. It will require changes to the helm chart as well as code in the operator.

[tomkerkhove]

Are you willing to contribute this?

[arschles]

@tomkerkhove I haven't had a chance to contribute this yet, so @mhulscher if you're open to contributing this, I'd welcome that!

[joebowbeer]

This can be closed?

PSP was deprecated in 1.21 and will be removed in 1.25.

[mhulscher]

Closing as I am no longer following this.

[joebowbeer]

With respect to installing on clusters where non-root is required, this was fixed by #267

https://github.com/kedacore/charts/blob/main/keda/README.md#keda-is-secure-by-default