Modify containers according to OpenShift best practices for enhanced security

Summary

Deployment on OpenShift barely possible because the current recommendation (adding anyuid for container execution) is a security problem.

Current behavior

Anyuid needs to be set to service account or even worse to the openshift-cluster

Expected behavior

Containers are built in a more secure way using the RedHat best practices for building containers that can run on any (also secured) Kubernetes/OpenShift cluster.

The image build guidelines are documented here: https://docs.openshift.com/container-platform/4.4/openshift_images/create-images.html#images-create-guide-openshift_create-images

Especially the part of supporting arbitrary used IDs is essential solving a huge part of the problem running gitlab on OpenShift.

Key Points

Summarizing keys points of post on RH Developer Blog and Creating Images (from OpenShift 4.5 docs)

Containers:

• UID will be random, but a USER entry should be present in the Dockerfile.
• GID will always be 0
• Application files should be chgrp -R 0 /srv/gitlab/.... This is particularly important for writeable files/paths.
  • Consider setting all chown calls to chown -R UID:0 ...
• Group permissions are what matter, so the "easy" way is copy the user permissions to group (chmod -R g=u)
  • The effective user mask (umask) of an applications write behaviors is very important.

Charts:

• Don't render securityContext.runAs{User,Group}
• All containers in OpenShift use the same UID, so operating as root an initContainer is not acceptable.