Using a Rootless Image in Traefik Enterprise¶

In certain cases it may be desirable to use a rootless image for security purposes.

A rootless version of the image is available, but it is not used by default due to limitations in certain environments.

The rootless image name is the same as the standard image with the additional suffix -rootless on the tag. For example traefik/traefikee:v2.x.x-rootless.

When using this image, everything is started as a non-privileged user non-root with the UID 65532 and GID 65532.

Using the Rootless Image¶

After generating your manifests, manually add the -rootless suffix to the image name for the controllers and/or proxies.

Some Cloud Providers may mount persistent volumes inside your containers as root, resulting in permission errors when starting a controller or proxy. The best way to fix this is to change ownership of the volume before starting the Traefik Enterprise containers, here are some specific examples:

Kubernetes (up to 1.17)

# Specifying an additional init container to change volume ownership
kind: StatefulSet
#[...]
spec:
#[...]
  template:
  #[...]
    spec:
      securityContext:
        runAsUser: 65532
        runAsGroup: 65532
      initContainers:
        #[...]
        - name: volume-ownership
          image: busybox:1.31.1
          command: ['sh', '-c', 'chown -R 65532:65532 /data']
          resources:
            requests:
              memory: "10Mi"
              cpu: "100m"
            limits:
              memory: "100Mi"
              cpu: "1000m"
          volumeMounts:
            - name: "rootless-proxy-data"
              mountPath: "/data"
#[...]

Kubernetes (1.18+)

# Taking advantage of `fsGroup` security context to grant additional group permission on volumes
kind: StatefulSet
#[...]
spec:
#[...]
  template:
  #[...]
    spec:
      securityContext:
        runAsUser: 65532
        runAsGroup: 65532
        fsGroup: 65532
    #[...]
      containers:
      - name: "rootless-controller"
#[...]

Docker (Named volumes)

# Change ownership of the volume(s) before deploying the Traefik Enterprise stack
docker run -it --mount source=my-traefikee-volume,destination=/data busybox:1.31.1 chown -R 65532:65532 /data

Docker (Bind volumes)

# Change ownership of the source volume(s) before deploying the Traefik Enterprise stack
chown -R 65532:65532 /my-traefikee-volume

Rootless Controllers in Docker Swarm

When using a rootless image in Docker Swarm, the Controller no longer has access to the Docker Socket which is required for the provider to work. In this case the Docker Socket should be exposed securely over the network. Instructions on how to do this are provided by Docker. Please refer to this guide.