Security is important [1] when running containers in Kubernetes. For this reason we provide the documentation on how to create a HiveMQ image with non-root user and group without increasing the size of the image.
- Check which is the latest version of the HiveMQ k8s image provided on the docker registry https://hub.docker.com/r/hivemq/hivemq4/tags?page=1&name=k8s
hivemq/hivemq4:k8s-<version>. - Build the custom image using the command:
docker build \ --build-arg HIVEMQ_IMAGE=hivemq/hivemq4:k8s-<version> \ --build-arg JAVA_IMAGE=openjdk:11-jre-slim \ -t <custom-org>:<custom-tag> -f example_nonroot_k8s.dockerfile .
- Push your created custom docker image to your docker registry, for more info check the official documentation [2]:
docker image push <registry-host>:5000/<custom-org>:<custom-tag>
Override the default docker image name of the HiveMQ operator helm chart, by creating a custom 'values.yml' file and configure the podSecurityContext according to your image. Use the custom values file as described on the HiveMQ Operator documentation [3]
-
Configure the image name on the helm-chart
values.ymlfor the HiveMQ operator helm-charthivemq: image: <custom-org>:<custom-tag> -
Set up the pod and container security context [4] on the helm-chart values
podSecurityContext: fsGroup: 10000 runAsNonRoot: true runAsGroup: 10000 runAsUser: 10000 containerSecurityContext: runAsNonRoot: true runAsGroup: 10000 runAsUser: 10000 allowPrivilegeEscalation: false privileged: false
Note: The HiveMQ user and group is
10000:10000. The user can be different, but should part of the group10000 -
Install or upgrade your HiveMQ helm-chart:
helm upgrade --install -f myCustomValues.yaml hivemq hivemq/hivemq-operator