Workspace BB and root

[ahaywardtvuk]

As part of https://github.com/EOEPCA/system-tasks/issues/69 I'm looking for containers running as root as these can be both a security problem and a problem on clusters with a 'no root' policy.

The workspace BB has the following:

Namespace	Pod Name	Command
workspace	csi-rclone-controller-0	/csi-attacher --v=5 --csi-address=/csi/csi.sock --leader-election
workspace	csi-rclone-controller-0	/csi-provisioner --csi-address=/csi/csi.sock --capacity-ownerref-level=0 --extra-create-metadata
workspace	csi-rclone-controller-0	/csi-rclone run controller --nodeid=192.168.9.244 --endpoint=unix://plugin/csi.sock
workspace	csi-rclone-controller-0	/livenessprobe --csi-address=/csi/csi.sock
workspace	csi-rclone-nodeplugin-5pr82	/csi-node-driver-registrar --v=5 --csi-address=/plugin/csi.sock --kubelet-registration-path=/var/lib/kubelet/plugins/csi-rclone/csi.sock
workspace	csi-rclone-nodeplugin-5pr82	/csi-rclone run node --nodeid=192.168.9.105 --endpoint=unix://plugin/csi.sock
workspace	csi-rclone-nodeplugin-5pr82	/livenessprobe --csi-address=/plugin/csi.sock
workspace	csi-rclone-nodeplugin-5pr82	rclone rcd --rc-addr=:33227 --cache-info-age=72h --cache-chunk-clean-interval=15m --rc-no-auth --log-level=NOTICE --config=/tmp/rclone.conf1611859062
workspace	... more for other nodes ...	...
ws-alice	data-fdc99dfdc-qll7l	./filebrowser
ws-eric	data-7dd4c64cbb-g7v8t	./filebrowser

I wouldn't normally expect a CSI driver to work without root but I can't find a definitive answer for csi-rclone specifically.

For this issue, we should:

• Run the file browser as a non-root user (/data is owned by 1000:100).
• Understand what a platform that normally doesn't allow pods running as root can do so that we can add a note to the deployment guide. This might be just that csi-rclone needs to be installed with root access or the workspace BB won't work.

[achtsnits]

thanks, we will have a look and provide guidance on how to harden the individual components to the max level possible