The code for this article can be found here
Running a pod in Kubernetes is easy, running a pod as a non root user (which is best practice) can be slightly trickier and requires extra thought when creating images.
Recently I had a requirement from a client to be able to exchange files within customers via a custom application written in Angular/dotnet core. To minimise risk to the clients, and to ensure no virus were sent we implemented ClamAV. As our environment was hosting in AKS, it was trivial to create an image and run a container containing ClamAV. Initially I used the image provided by mkodockx, this worked fine when running locally, deploying to our AKS cluster is when permission issues occurred.
A few examples of the errors I received were:
- Not being able to execute the bootstrap.sh script
- Not having permissions to access the /etc/ssl/certs directory
- Not having permissions to update the daily.cvd file
Examples of the error messages can be seen below:
!Download failed (77) Mon Feb 15 13:38:19 2021 -> ! Message: Problem with the SSL CA cert (path? access rights?)
Mon Feb 15 13:38:19 2021 -> !getpatch: Can’t download daily-26077.cdiff from https://database.clamav.net/daily-26077.cdiff
Mon Feb 15 13:38:19 2021 -> ^Incremental update failed, trying to download daily.cvd
To fix these issues I modified the dockerfile that mkodockx provided to:
Run apt-get install ca-certificates openssl && \ update-ca-certificates
I changed the owner on the /etc/ssl/certs folder to clamav_user, and set the executing user to 1000.
Please see the full dockerfile here