tomcatcontainersexeckubectl

Restrict login access to the container


I have a container with the base image "tomcat:9.0.87"

We are supposed to restrict the login access (kubectl exec) into the container. We are able to login to the container with shell and bash commands.

I removed sh login, by removing "sh" from the Dockerfile but the same doesn't work when I remove /bin/bash.

Below is the Dockerfile:

FROM public.int.repositories.cloud.sap/tomcat:9.0.87 as deploy
COPY --from=build /cdi-web/target/cdi-web.war /usr/local/tomcat/webapps
RUN rm -rf /bin/sh /bin/dash /bin/bash
EXPOSE 8080
CMD ["catalina.sh", "run"] 

Any suggestions?

I tried to remove bash from the image using the below command

RUN rm -rf /bin/sh /bin/dash /bin/bash

after which pod itself is not getting created.

I get the below error when I describe the pod:

Back-off restarting failed container <containername> in pod <podname>

pod logs

/usr/bin/env: ‘bash’: No such file or directory

Solution

  • CMD ["catalina.sh", "run"]
    

    This is likely a shell script with a shebang that invokes bash.

    If you remove bash, this script that relies on bash cannot run, so the container cannot start.