Modify Synthetics Job Manager Containers to Support Non-Root Execution

[asafarian]

Description

We have observed that the New Relic Synthetics job manager images are configured to run as the root user. This configuration leads to compatibility issues in environments like OpenShift, which, by default, restricts running containers as root to enhance security. This restriction requires the application to run with privileged permissions, which is not ideal from a security standpoint.

Acceptance Criteria

• Modify Docker images to allow running as non-root user.
• Ensure that the modified images maintain functionality when deployed in both Kubernetes and OpenShift environments.
• Document the changes and update any user guides or deployment instructions accordingly.

Describe Alternatives

We have considered using OpenShift's anyuid Security Context Constraint to allow the containers to run as root; however, this approach is not recommended due to security risks. An alternative could be to refactor the application to avoid the necessity of root privileges entirely, which would comply with best practices for container security.

Dependencies

This change will affect the deployment and operational teams responsible for managing the New Relic Synthetics job manager images.

Additional context

The use of non-root containers is a common practice to enhance security in containerized environments. Adapting our images to support running as a non-root user aligns with industry security standards and best practices, thus improving our compatibility with more secure and restricted environments like OpenShift.

Estimates

Given the scope of testing and documentation updates required, this task is estimated to be a Medium (M) effort, corresponding to 3-5 days of work.

[workato-integration]

https://new-relic.atlassian.net/browse/NR-262792

[asafarian]

Any news here ?