Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modify Synthetics Job Manager Containers to Support Non-Root Execution #1347

Open
asafarian opened this issue Apr 26, 2024 · 3 comments
Open

Modify Synthetics Job Manager Containers to Support Non-Root Execution #1347

asafarian opened this issue Apr 26, 2024 · 3 comments
Labels
feature request Categorizes issue or PR as related to a new feature or enhancement.

Comments

@asafarian
Copy link

Description

We have observed that the New Relic Synthetics job manager images are configured to run as the root user. This configuration leads to compatibility issues in environments like OpenShift, which, by default, restricts running containers as root to enhance security. This restriction requires the application to run with privileged permissions, which is not ideal from a security standpoint.

Acceptance Criteria

  • Modify Docker images to allow running as non-root user.
  • Ensure that the modified images maintain functionality when deployed in both Kubernetes and OpenShift environments.
  • Document the changes and update any user guides or deployment instructions accordingly.

Describe Alternatives

We have considered using OpenShift's anyuid Security Context Constraint to allow the containers to run as root; however, this approach is not recommended due to security risks. An alternative could be to refactor the application to avoid the necessity of root privileges entirely, which would comply with best practices for container security.

Dependencies

This change will affect the deployment and operational teams responsible for managing the New Relic Synthetics job manager images.

Additional context

The use of non-root containers is a common practice to enhance security in containerized environments. Adapting our images to support running as a non-root user aligns with industry security standards and best practices, thus improving our compatibility with more secure and restricted environments like OpenShift.

Estimates

Given the scope of testing and documentation updates required, this task is estimated to be a Medium (M) effort, corresponding to 3-5 days of work.
@asafarian asafarian added the feature request Categorizes issue or PR as related to a new feature or enhancement. label Apr 26, 2024
@workato-integration
Copy link

https://new-relic.atlassian.net/browse/NR-262792

@asafarian
Copy link
Author

Any news here ?

@nedl86
Copy link

nedl86 commented Jul 3, 2024

Hi @asafarian I'm in the Solutions Consulting team at New Relic. Thanks for your patience while our Product team reviews this. Would you be open to a quick discussion about this request? If so, please reach out to me at: nlidbury [at] newrelic [dot] com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request Categorizes issue or PR as related to a new feature or enhancement.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@asafarian @nedl86