Usage of arbitrary UID makes secure Kubernetes deployment impossible

[MatonAnthony]

Hello,

I would like to run the snomed browser on a Kubernetes cluster, that use SCC restriction and attribute a random user id.
Unfortunately this is currently not possible because of https://github.com/IHTSDO/sct-browser-frontend/blob/master/docker/docker-entrypoint.sh

In this file

#!/usr/bin/env sh
set -eu

if test -f /etc/nginx/conf.d/default.conf.template  ; then
    envsubst '${API_HOST}' < /etc/nginx/conf.d/default.conf.template > /etc/nginx/nginx.conf 
    rm /etc/nginx/conf.d/default.conf.template 
fi

exec "$@" 

We can see the line here below, that substitute the content of the file before overwriting the /etc/nginx/nginx.conf

    envsubst '${API_HOST}' < /etc/nginx/conf.d/default.conf.template > /etc/nginx/nginx.conf 

In a Kubernetes setup with SCC restriction enabled, this file does not belong to the user that wants to overwrite it.
Therefore it gets an access denied, and the container crash.

I believe that in the Dockerfile, a simple chgrp 0 /etc/nginx/nginx.conf && chmod g+rwX /etc/nginx/nginx.conf would fix the issue.

Do you believe that such a merge request would be sufficient ?
Would you be open to accept it as a contribution to the project ?

[kaicode]

Yes, we would accept a PR for this. I recommend this fix instead:

# Allow arbitrary UIDs in SCC by granting group write
RUN chgrp -R 0 /etc/nginx && \
    chmod -R g+rwX /etc/nginx

This ensures any file under /etc/nginx is writable by the container process when running with a random UID in group 0. Apparently this is the standard OpenShift-compatible pattern.

[MatonAnthony]

Ok, I will schedule some time to propose the merge request tomorrow then !

Thanks for the quick feedback :)

[MatonAnthony]

Hi, I didn't forgot this. I encounter the following error which after investigation is not easy to fix at all.

2025/09/04 06:27:11 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

All the proposed fixes are unsatisfactory to me.
I identified 4 potential fixes

1. In the Dockerfile change the permissions of even more directories:
   RUN mkdir -p /var/cache/nginx/client_temp && chown -R 1001:0 /var/cache/nginx
2. Bind /var/cache/nginx to a Kubernetes empty_dir, which would allow the system to write its cache in it
3. Relax SCC permissions for this specific workload
4. Rebuild the image base on a RedHat image that has been configured to work with SCC.

I don't believe it's a reasonable burden to ask for the solution 1 on a project that doesn't rely on Openshift. And I'm guessing that after this, other directory will show up and it becomes an endless battle of how quick can I get my image to trouble.

We will investigate on our side what we can do.
Once we have a solution, we will be happy to share it, but I doubt it will include code changes on the repo.

[kaicode]

Okay, thanks for letting us know. Good luck in finding a solution!