Using a Rootless Image in Traefik Enterprise¶
In certain cases it may be desirable to use a rootless image for security purposes.
A rootless version of the image is available, but it is not used by default due to limitations in certain environments.
The rootless image name is the same as the standard image with the additional suffix -rootless
on the tag.
For example store/containous/traefikee:v2.x.x-rootless
.
When using this image, everything is started as a non-privileged user non-root
with the UID 65532
and GID 65532
.
Using the Rootless Image¶
After generating your manifests, manually add the -rootless
suffix to the image name for the controllers and/or proxies.
Some Cloud Providers may mount persistent volumes inside your containers as root
, resulting in permission errors when starting a controller or proxy. The best way to fix this is to change ownership of the volume before starting the Traefik Enterprise containers, here are some specific examples:
# Specifying an additional init container to change volume ownership
kind: StatefulSet
#[...]
spec:
#[...]
template:
#[...]
spec:
securityContext:
runAsUser: 65532
runAsGroup: 65532
initContainers:
#[...]
- name: volume-ownership
image: busybox:1.31.1
command: ['sh', '-c', 'chown -R 65532:65532 /data']
resources:
requests:
memory: "10Mi"
cpu: "100m"
limits:
memory: "100Mi"
cpu: "1000m"
volumeMounts:
- name: "rootless-proxy-data"
mountPath: "/data"
#[...]
# Taking advantage of `fsGroup` security context to grant additional group permission on volumes
kind: StatefulSet
#[...]
spec:
#[...]
template:
#[...]
spec:
securityContext:
runAsUser: 65532
runAsGroup: 65532
fsGroup: 65532
#[...]
containers:
- name: "rootless-controller"
#[...]
# Change ownership of the volume(s) before deploying the Traefik Enterprise stack
docker run -it --mount source=my-traefikee-volume,destination=/data busybox:1.31.1 chown -R 65532:65532 /data
# Change ownership of the source volume(s) before deploying the Traefik Enterprise stack
chown -R 65532:65532 /my-traefikee-volume
Rootless Controllers in Docker Swarm
When using a rootless image in Docker Swarm, the Controller no longer has access to the Docker Socket which is required for the provider to work. In this case the Docker Socket should be exposed securely over the network. Instructions on how to do this are provided by Docker. Please refer to this guide.