cert-manager containers are running with GID = 0 #8409
Description
During some investigation in our cluster, we found that the user running inside the cert-manager containers has a GID 0. From a security prospective, it is a good practice to have a non-zero GID.
This is how cert manager was installed in our system:
helm install cert-manager --namespace cert-manager --version v1.18.2 jetstack/cert-manager
The UID/GID information was collected by tracing the process ID of the containers like this:
Get the container name kubectl get pod <pod-name> -n <namespace> -o jsonpath='{.spec.containers[*].name}'
Get the container ID using crictl crictl ps --name <container-name>
I inspected the container and got the PID of the running container process: crictl inspect <CONTAINER_ID> | grep "pid"
Got the uid/gid of the running process: ps -o uid,gid,user,group -p <CONTAINER_PROCESS_PID>
I also checked if there was a user namespace mapping:
cat /proc/783872/uid_map
0 0 4294967295
And the finding gave me that the uid = 1000, and gid = 0