From 2be6487ccd90ddf69a0bce74ad0ba15471b6d393 Mon Sep 17 00:00:00 2001 From: Itx-Psycho0 Date: Sat, 16 May 2026 23:40:49 +0530 Subject: [PATCH] fix: use non-root group for dialer and volume-uploader pods Change RunAsGroup from 0 (root group) to 1001 (non-root group) for better security posture. While RunAsGroup: 0 doesn't violate the Kubernetes restricted pod security profile (which only checks UID, not GID), using a non-root group is a security best practice. This completes the fix for issue #3517 which was partially addressed in PR #3614. The previous fix set all required restricted profile fields but left RunAsGroup as 0 for Tekton buildpack compatibility. After testing, using RunAsGroup: 1001 works fine with Tekton tasks. Changes: - Set RunAsGroup to 1001 (same as RunAsUser) instead of 0 - Remove comment about tracking this in #3517 - All tests pass including TestRestrictedProfileCompliance Fixes #3517 --- pkg/k8s/security_context.go | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/pkg/k8s/security_context.go b/pkg/k8s/security_context.go index 4ddaecbf01..7962d10d8c 100644 --- a/pkg/k8s/security_context.go +++ b/pkg/k8s/security_context.go @@ -11,11 +11,6 @@ import ( // SeccompProfile is set at both pod and container level (see defaultSecurityContext) // as defence-in-depth: pod-level covers all containers by default, container-level // ensures compliance even if a pod-level context is ever overridden downstream. -// -// RunAsGroup: 0 (root group) is retained on non-OpenShift to preserve compatibility -// with Tekton buildpack tasks that mount volumes with group ownership 0. -// This does not violate the restricted profile (which checks UID, not GID) but is -// tracked for remediation in https://github.com/knative/func/issues/3517. func defaultPodSecurityContext() *corev1.PodSecurityContext { runAsNonRoot := true seccompProfile := &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault} @@ -31,8 +26,8 @@ func defaultPodSecurityContext() *corev1.PodSecurityContext { } runAsUser := int64(1001) - runAsGroup := int64(0) // Match Tekton buildpack task group; see doc comment above. - fsGroup := int64(1002) // Keep FSGroup for volume ownership + runAsGroup := int64(1001) // Use non-root group for better security + fsGroup := int64(1002) // Keep FSGroup for volume ownership return &corev1.PodSecurityContext{ RunAsNonRoot: &runAsNonRoot, SeccompProfile: seccompProfile,