Provide official non-root container images for CIS Docker compliance #3784
Description
Is your feature request related to a problem? Please describe.
Security scanning tools (like Twistlock/Prisma Cloud) flag argo-events images for running as root user, which violates CIS Docker Benchmark 4.1 compliance requirements. Many organizations have security policies requiring non-root containers.
Currently, argo-events:v1.9.7 (and other versions) run as root (UID 0), which:
- Violates CIS_Docker_v1.5.0 - 4.1 (Image should be created with a non-root user)
- Fails security compliance scans
- Increases attack surface in multi-tenant clusters
Describe the solution you'd like
Provide official non-root container images similar to argo-workflows, which offers:
quay.io/argoproj/argoexec:<version>-nonroot
Proposed solution for argo-events:
- Publish
quay.io/argoproj/argo-events:<version>-nonrootimages - Run containers as non-root user (e.g., UID 10000 or 8737)
- Include in official release process
Describe alternatives you've considered
Current workarounds:
- Build custom images with non-root user (time-consuming, maintenance overhead)
- Use SecurityContext in Kubernetes to override (doesn't address base image compliance)
- Accept security compliance violations (not viable for regulated industries)
Additional context
- Argo Workflows already provides this: https://argo-workflows.readthedocs.io/en/latest/workflow-pod-security-context/
- Related issue for Argo Workflows: Improve security posture by running
waitcontainer as non-root argo-workflows#6895 - CIS Docker Benchmark reference: https://www.cisecurity.org/benchmark/docker
This would benefit:
- Organizations with strict security compliance requirements
- Multi-tenant Kubernetes clusters
- Industries requiring SOC2, ISO 27001, or similar certifications
Message from the maintainers:
If you wish to see this enhancement implemented please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.