Allow running as non-root to improve out-of-the-box experience for openshift users

By default K8S openshift restricts containers to run with userids below 1000, see 

https://docs.openshift.com/container-platform/4.10/cicd/pipelines/using-pods-in-a-privileged-security-context.html
> The default configuration of OpenShift [Pipelines 1.3.x and later versions] does not allow you to run pods with privileged security context
https://docs.openshift.com/container-platform/4.10/operators/operator_sdk/helm/osdk-helm-tutorial.html
> The Nginx service account requires privileged access to run in OpenShift Container Platform. Add the following security context constraint (SCC)
> `oc adm policy add-scc-to-user anyuid system:serviceaccount:nginx-operator-system:nginx-sample`

Without this additional permissions, the cloudsql image (such as `image: gcr.io/google.com/cloudsdktool/google-cloud-cli:412.0.0`) would fail with the following trace

```
$ gcloud auth activate-service-account --key-file=/secret/key.json

WARNING: Could not setup log file in /.config/gcloud/logs, (Error: Could not create directory [/.config/gcloud/logs/2022.12.22]: Permission denied.

Please verify that you have permissions to write to the parent directory..
The configuration directory may not be writable. To learn more, see https://cloud.google.com/sdk/docs/configurations#creating_a_configuration
ERROR: (gcloud.auth.activate-service-account) Could not create directory [/.config/gcloud]: Permission denied.

Please verify that you have permissions to write to the parent directory.
Stream closed EOF for 70-crossplane/gcp-gcloud-8bcc8d579-vtrh5 (gcp-gcloud)
```

the filesystem is also missing permissions to run without being root(0) within the container
```
1001020000@gcp-gcloud-86d49686bb-h72pr:/$ ls -al /
total 4
dr-xr-xr-x.   1 root root         54 Dec 22 15:34 .
dr-xr-xr-x.   1 root root         54 Dec 22 15:34 ..
drwxr-xr-x.   1 root root        179 Dec 13 18:41 bin
drwxr-xr-x.   2 root root          6 Sep  3 12:10 boot
drwxr-xr-x.   5 root root        360 Dec 22 15:34 dev
drwxr-xr-x.   1 root root         31 Dec 22 15:34 etc
drwxr-xr-x.   1 root root         22 Dec 13 18:41 home
drwxr-xr-x.   1 root root         17 Dec 13 18:46 lib
drwxr-xr-x.   2 root root         34 Dec  5 00:00 lib64
drwxr-xr-x.   2 root root          6 Dec  5 00:00 media
drwxr-xr-x.   2 root root          6 Dec  5 00:00 mnt
drwxr-xr-x.   2 root root          6 Dec  5 00:00 opt
dr-xr-xr-x. 343 root root          0 Dec 22 15:34 proc
drwx------.   1 root root         19 Dec 22 15:34 root
drwxr-xr-x.   1 root root         42 Dec 22 15:34 run
drwxr-xr-x.   2 root root       4096 Dec  5 00:00 sbin
drwxrwsrwt.   3 root 1001020000  100 Dec 22 15:34 secret
drwxr-xr-x.   2 root root          6 Dec  5 00:00 srv
dr-xr-xr-x.  13 root root          0 Oct 24 13:01 sys
drwxrwxrwt.   1 root root          6 Dec 13 18:47 tmp
drwxr-xr-x.   1 root root         19 Dec  5 00:00 usr
drwxr-xr-x.   1 root root         41 Dec  5 00:00 var
1001020000@gcp-gcloud-86d49686bb-h72pr:/$ sudo -i 
bash: sudo: command not found
1001020000@gcp-gcloud-86d49686bb-h72pr:/$ mkdir /.config
mkdir: cannot create directory '/.config': Permission denied

1001020000@gcp-gcloud-86d49686bb-h72pr:/$ id
uid=1001020000(1001020000) gid=0(root) groups=0(root),1001020000

```

Same when trying to run as `cloudsdk:cloudsdk`

```
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
```
https://github.com/GoogleCloudPlatform/cloud-sdk-docker/blob/ad7955459e59745d34e65ff3ae209047ebde765b/debian_component_based/Dockerfile#L8-L9

```
 - lastTransitionTime: "2022-12-22T15:54:32Z"
    lastUpdateTime: "2022-12-22T15:54:32Z"
    message: 'pods "gcp-gcloud-cli-55cf44859-" is forbidden: unable to validate against
      any security context constraint: [provider "anyuid": Forbidden: not usable by
      user or serviceaccount, spec.containers[0[].securityContext.runAsUser: Invalid
      value: 1000: must be in the ranges: [1001020000, 1001029999[], provider "nonroot":
      Forbidden: not usable by user or serviceaccount, 
```

## Related issues:

* https://github.com/GoogleCloudPlatform/cloud-sdk-docker/issues/103
* https://github.com/GoogleCloudPlatform/cloud-sdk-docker/issues/154



## Workaround on openshift:

in openshift cli mode: `oc adm policy add-scc-to-user anyuid -z default` 

in plain KRM 

```
# Grant crossplane user permission to run gcloud container as root
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:openshift:scc:anyuid
subjects:
  - kind: ServiceAccount
    name: default
    namespace: my-namespace
```

and run pods as  `cloudsdk:cloudsdk`

```
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Allow running as non-root to improve out-of-the-box experience for openshift users #300

Related issues:

Workaround on openshift:

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	RUN groupadd -r -g 1000 cloudsdk && \
	useradd -r -u 1000 -m -s /bin/bash -g cloudsdk cloudsdk

Allow running as non-root to improve out-of-the-box experience for openshift users #300

Description

Related issues:

Workaround on openshift:

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions