feature request: support running fluent bit as non-root/not UID 0

[oridool]

Describe the question/issue

Our image scanning tool reports about potential risk with this image.
It appears that it is running with root user. Plus, it also uses 'hostPath' in the DaemonSet configuration.
Both things together are considered as a high risk.
Can the image be built with another non-privileged user?
Or even better, build it from distroless image ?

Configuration

DaemonSet configuration according to the AWS docs for Container Insights:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html

yaml:
kubectl apply -f https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/latest/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/fluent-bit/fluent-bit.yaml

Fluent Bit Version Info

aws-for-fluent-bit:2.28.0

Steps to reproduce issue

C:\>kubectl exec fluent-bit-dphbz -- id
uid=0(root) gid=0(root) groups=0(root)

Related Issues

[PettitWesley]

We choose to use Amazon Linux as our base image because Amazon maintains and patches Amazon Linux and that makes it easy for this distro to stay up to date and be easily supported by Amazon Support/engineers.

Our understanding is that making Fluent Bit UID 0/root inside the container is considered to be safe by many customers. You can restrict what the container can access and do using normal container controls. In addition, some use cases require the Fluent Bit process to be UID 0. For example, if you are using the fluentd docker log driver with a unix socket, and Docker is running as UID 0, then any process that needs to read from the socket must also be UID 0. This is because unix sockets use file write permissions IIRC, which means that to read from a socket created by Docker, you need to be the same user ID or in the same group ID.

We are taking this as a feature request to enable running AWS for Fluent Bit as non-UID 0/root within the container as an option.

[ed4wg]

I would love to see this as an option.

Here's a great reason not to run as root. Seems to fit the points here, but i haven't tested it to verify.
https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts

[oridool]

We are taking this as a feature request to enable running AWS for Fluent Bit as non-UID 0/root within the container as an option.

Thanks @PettitWesley . Is there a place where we can see the timeline/status for adding this enhancement? Can you estimate when it will be available?

[gautam-nutalapati]

Is this feature request still blocked or in works?
Is it possible to run fluent-bit as non-root user as of today?