Fluent Bit running as root in VIP Auth hub during Prisma scan
search cancel

Fluent Bit running as root in VIP Auth hub during Prisma scan

book

Article ID: 411069

calendar_today

Updated On:

Products

Symantec Identity Security Platform - IDSP (formerly VIP Authentication Hub)

Issue/Introduction

Prisma scan reported that the Fluent Bit docker file is missing the user directive to run as non root, so it is being flagged as running as root.

The security team requires applications run as non root.

Environment

Kubernetes 1.32.4

VIP Auth hub:3.4.3

Resolution

The recommended setting during fluent-bit deployment:

--set input.tail.preserveLastProcessedLine.enabled=false
--set fluent-bit.securityContext.runAsNonRoot=true  
--set fluent-bit.securityContext.runAsUser=1000

The Prisma scan detects the missing USER statement in fluent bit's Docker file.

The USER statement sets the default uid of the container in case it's not specified in Kubernetes.

In this scenario, the user is specified in the Kubernetes pod manifest (that is, it is set by --set fluent-bit.securityContext.runAsUser=1000). 

The scan is NOT aware of how VIP Auth hub uses the image. 

With the specified setting,  at run time this is not a security issue.

The fluent bit's log confirms at run time "runAsUser: 1000", not root.

yyyy-mm-ddT17:02:51.1002131Z       securityContext:
yyyy-mm-ddT17:02:51.1002653Z       allowPrivilegeEscalation: false
yyyy-mm-ddT17:02:51.1003152Z       privileged: false
yyyy-mm-ddT17:02:51.1003739Z       readOnlyRootFilesystem: true
yyyy-mm-ddT17:02:51.1004133Z       runAsNonRoot: true
yyyy-mm-ddT17:02:51.1004451Z       runAsUser: 1000

Powered by Wolken Software