strimzi user has root group in operator container

[RafaelOm]

Describe the bug
strimzi user is created in the root group instead of its own group.

strimzi-kafka-operator/docker-images/operator/Dockerfile

Line 7 in 20efd44

RUN useradd -r -m -u 1001 -g 0 strimzi

Expected behavior
Create a strimzi group and make user belongs to it.

RUN set -eux; \
  groupadd -g 1001 strmzi; \
  useradd -r -m -u 1001 -g 1001 strimzi;

Environment :

• Strimzi version: 0.31.1
• Installation method: Helm chart
• Kubernetes cluster:1.20
• Infrastructure: Kubernetes

Additional context
This is a security concern for our deployments, since we avoid running processes with root permissions.
Having a non root user should not represent an issue with volumes if the security context is declared correctly

spec:
  securityContext:
    runAsUser: 1001
    runAsGroup: 1001
    fsGroup: 1001

I did a quick test rebuilding the image with the right security context, like above, everything works as expected

bash-4.4$ id 
uid=1001(strimzi) gid=1001(strmzi) groups=1001(strmzi)
bash-4.4$ ls -l /tmp/
total 0
drwxr-sr-x. 2 strimzi strmzi 60 Feb 14 15:03 hsperfdata_strimzi
drwx--S---. 2 strimzi strmzi 40 Feb 14 15:03 vertx-cache-a55bcc3c-c2ca-4a8c-bc16-7ef63888637e
bash-4.4$ touch /tmp/testfile
bash-4.4$ echo test >> /tmp/testfile 
bash-4.4$ echo test >> /tmp/testfile 
bash-4.4$ echo test >> /tmp/testfile 
bash-4.4$ cat /tmp/testfile 
test
test
test
bash-4.4$

I can make a pull request if you prefer

[scholzj]

AFAIK, group 0 is not the same as user 0. It has no root powers or anything like that. If you want, you can anyway configure the security context the way you want.

[xr09]

True, group 0 is not the same as user 0, but is not required either, it doesn't follow the principle of least privilege. Why reusing it when best practices dictates to create a new group?

Most official Docker images create their own group.

Postgres Docker image: https://github.com/docker-library/postgres/blob/master/15/bullseye/Dockerfile#L21
Nginx: https://github.com/nginxinc/docker-nginx/blob/master/stable/debian/Dockerfile#L16
Zalando Postgres operator: https://github.com/zalando/postgres-operator/blob/master/docker/Dockerfile#L10

[scholzj]

We cannot come and change the different settings every time someone comes and says he doesn't like the number for no reason. So you should start by explaining by what is wrong with it. The group 0 is what is commonly used for the storage permissions and makes persistent storage work in most cases without any additional actions. So these are the actual advantages. Now, what are the actual issues?

As I said, you can anyway customize this through the security context any way you want if you prefer a different number.