在K8S上安全运行Apache容器

Question

I've built a docker image based on httpd:2.4 . In my k8s deployment I've defined the following securityContext :

securityContext:
  privileged: false
  runAsNonRoot: true
  runAsUser: 431
  allowPrivilegeEscalation: false

When I apply the deployment without this securityContext everything works fine, the server starts up correctly, etc. However when I add in the above securityContext my pod has the status CrashLoopBackOff and I get the following from $ kubectl logs...

(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

From searching around online I've found that this is because apache needs to be root in order to run, so running as non-root will fail.

I've also found that httpd.conf has the following

#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.  
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User daemon
Group daemon

Which seems to suggest that if I don't use runAsNonRoot or runAsUser in securityContext it should automatically switch to whichever user I specify in httpd.conf . In my case I created a user/group swuser and edited httpd.conf accordingly. However when I run the image locally with docker run -p 5000:80 my-registry/my-image:1.0.12-alpha and then run docker exec -it my-container whoami it prints root .

So my question is, what can I do to run my container safely as non-root in k8s (and be sure it is non-root)

Answer 1

Run the apache on a port greater than 1024.

Ports below 1024 are privileged ports only available to the root user.

As you will have some ingress load balancer before that, it shouldn't matter :-)