diff --git a/bento-downloader/Dockerfile b/container_images/bento-downloader/Dockerfile similarity index 72% rename from bento-downloader/Dockerfile rename to container_images/bento-downloader/Dockerfile index 868d137..5b58609 100644 --- a/bento-downloader/Dockerfile +++ b/container_images/bento-downloader/Dockerfile @@ -11,3 +11,13 @@ RUN curl https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud && tar -xf google-cloud-cli-410.tar.gz \ && ./google-cloud-sdk/install.sh \ && rm google-cloud-cli-410.tar.gz + +ARG USERNAME=yetone +ARG USER_UID=1000 +ARG USER_GID=$USER_UID + +# Create the user +RUN groupadd --gid $USER_GID $USERNAME \ + && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME + +USER $USER_UID:$USER_GID diff --git a/bento-downloader/Makefile b/container_images/bento-downloader/Makefile similarity index 54% rename from bento-downloader/Makefile rename to container_images/bento-downloader/Makefile index 0e6178c..1cdc94e 100644 --- a/bento-downloader/Makefile +++ b/container_images/bento-downloader/Makefile @@ -1,4 +1,4 @@ -IMAGE := quay.io/bentoml/bento-downloader:0.0.1 +IMAGE := quay.io/bentoml/bento-downloader:0.0.3 build: docker build -t ${IMAGE} . diff --git a/container_images/buildah/Dockerfile b/container_images/buildah/Dockerfile new file mode 100644 index 0000000..09a06a3 --- /dev/null +++ b/container_images/buildah/Dockerfile @@ -0,0 +1,16 @@ +FROM quay.io/buildah/stable:v1.23.1 + +ARG BENTO_USER_UID=1034 +ARG BENTO_USER_GID=1034 + +RUN touch /etc/subgid /etc/subuid \ + && chmod g=u /etc/subgid /etc/subuid /etc/passwd \ + && echo build:$BENTO_USER_UID:$BENTO_USER_GID > /etc/subuid \ + && echo build:$BENTO_USER_UID:$BENTO_USER_GID > /etc/subgid + +# Use chroot since the default runc does not work when running rootless +RUN echo "export BUILDAH_ISOLATION=chroot" >> /home/build/.bashrc + +USER $BENTO_USER_UID:$BENTO_USER_GID +WORKDIR /home/build + diff --git a/container_images/buildah/Makefile b/container_images/buildah/Makefile new file mode 100644 index 0000000..81a1b3f --- /dev/null +++ b/container_images/buildah/Makefile @@ -0,0 +1,5 @@ +IMAGE := quay.io/bentoml/bentoml-buildah:0.0.1 + +build: + docker build -t ${IMAGE} . + docker push ${IMAGE} diff --git a/controllers/resources/bentorequest_controller.go b/controllers/resources/bentorequest_controller.go index 47b5043..b3ea8dd 100644 --- a/controllers/resources/bentorequest_controller.go +++ b/controllers/resources/bentorequest_controller.go @@ -1200,6 +1200,17 @@ echo "Done" }) } + restrictedSecurityContext := &corev1.SecurityContext{ + AllowPrivilegeEscalation: pointer.BoolPtr(false), + RunAsNonRoot: pointer.BoolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + } + initContainers := []corev1.Container{ { Name: "bento-downloader", @@ -1209,9 +1220,10 @@ echo "Done" "-c", bentoDownloadCommand, }, - VolumeMounts: volumeMounts, - Resources: downloaderContainerResources, - EnvFrom: downloaderContainerEnvFrom, + VolumeMounts: volumeMounts, + Resources: downloaderContainerResources, + EnvFrom: downloaderContainerEnvFrom, + SecurityContext: restrictedSecurityContext, }, } @@ -1329,9 +1341,10 @@ echo "Done" "-c", modelDownloadCommand, }, - VolumeMounts: volumeMounts, - Resources: downloaderContainerResources, - EnvFrom: downloaderContainerEnvFrom, + VolumeMounts: volumeMounts, + Resources: downloaderContainerResources, + EnvFrom: downloaderContainerEnvFrom, + SecurityContext: restrictedSecurityContext, }) } @@ -1488,14 +1501,11 @@ echo "Done" Privileged: pointer.BoolPtr(true), } } else if buildEngine == BentoImageBuildEngineBuildkitRootless { - kubeAnnotations["container.apparmor.security.beta.kubernetes.io/builder"] = "unconfined" - builderContainerSecurityContext = &corev1.SecurityContext{ - SeccompProfile: &corev1.SeccompProfile{ - Type: corev1.SeccompProfileTypeUnconfined, - }, - RunAsUser: pointer.Int64Ptr(1000), - RunAsGroup: pointer.Int64Ptr(1000), + kubeAnnotations["container.apparmor.security.beta.kubernetes.io/builder"] = "runtime/default" + for _, container := range initContainers { + kubeAnnotations[fmt.Sprintf("container.apparmor.security.beta.kubernetes.io/%s", container.Name)] = "runtime/default" } + builderContainerSecurityContext = restrictedSecurityContext.DeepCopy() } // add build args to pass via --build-arg @@ -1614,6 +1624,12 @@ echo "Done" Containers: []corev1.Container{ container, }, + SecurityContext: &corev1.PodSecurityContext{ + RunAsNonRoot: pointer.BoolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, } diff --git a/go.mod b/go.mod index 293cd4f..9f2067f 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.18 require ( github.com/aws/aws-sdk-go v1.44.152 - github.com/bentoml/yatai-common v0.0.0-20230108151027-0a54d02e79b1 + github.com/bentoml/yatai-common v0.0.0-20230109041943-798ca210a16d github.com/bentoml/yatai-schemas v0.0.0-20221123041958-d3ff9b721451 github.com/huandu/xstrings v1.3.2 github.com/iancoleman/strcase v0.2.0 diff --git a/go.sum b/go.sum index 8363012..f26eb36 100644 --- a/go.sum +++ b/go.sum @@ -77,8 +77,8 @@ github.com/aws/aws-sdk-go v1.44.152 h1:L9aaepO8wHB67gwuGD8VgIYH/cmQDxieCt7FeLa0+ github.com/aws/aws-sdk-go v1.44.152/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= -github.com/bentoml/yatai-common v0.0.0-20230108151027-0a54d02e79b1 h1:VgN2DLopHoMaEVOiD8J4bZO0L1BGXLRSmNSs7GkfbHo= -github.com/bentoml/yatai-common v0.0.0-20230108151027-0a54d02e79b1/go.mod h1:pox0XYk/bVUwKkadn0XwWHEbJmxSEeN3+HwGA4a8uOQ= +github.com/bentoml/yatai-common v0.0.0-20230109041943-798ca210a16d h1:r+iumKOD+Ri4u2NggQYudjQurIYN2Rs0nOW48faSt9E= +github.com/bentoml/yatai-common v0.0.0-20230109041943-798ca210a16d/go.mod h1:pox0XYk/bVUwKkadn0XwWHEbJmxSEeN3+HwGA4a8uOQ= github.com/bentoml/yatai-schemas v0.0.0-20221123041958-d3ff9b721451 h1:FNxCbN61Ev8ea6BXzlfmRUT5CYNmqlOv8zDRGs8ufVE= github.com/bentoml/yatai-schemas v0.0.0-20221123041958-d3ff9b721451/go.mod h1:q7tt064G8YIiAwQabKyVaKEdSIHYDQA9Oyt+kyCsflU= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= diff --git a/helm/yatai-image-builder/values.yaml b/helm/yatai-image-builder/values.yaml index 3f1fa1e..64ace72 100644 --- a/helm/yatai-image-builder/values.yaml +++ b/helm/yatai-image-builder/values.yaml @@ -27,16 +27,16 @@ serviceAccount: podAnnotations: {} -podSecurityContext: {} - # fsGroup: 2000 +podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL service: type: ClusterIP @@ -96,7 +96,7 @@ aws: secretAccessKeyExistingSecretKey: '' internalImages: - bentoDownloader: quay.io/bentoml/bento-downloader:0.0.1 + bentoDownloader: quay.io/bentoml/bento-downloader:0.0.3 kaniko: quay.io/bentoml/kaniko:1.9.1 buildkit: quay.io/bentoml/buildkit:master buildkitRootless: quay.io/bentoml/buildkit:master-rootless diff --git a/tests/e2e/e2e_test.go b/tests/e2e/e2e_test.go index 6dea091..545782f 100644 --- a/tests/e2e/e2e_test.go +++ b/tests/e2e/e2e_test.go @@ -49,9 +49,9 @@ var _ = Describe("yatai-image-builder", Ordered, func() { cmd = exec.Command("kubectl", "-n", "yatai-image-builder", "logs", "--tail", "200", "-l", "app.kubernetes.io/name=yatai-image-builder") logs, _ = utils.Run(cmd) fmt.Println(string(logs)) - By("Cleaning up BentoRequest resources") - cmd = exec.Command("kubectl", "delete", "-f", "tests/e2e/example.yaml") - _, _ = utils.Run(cmd) + // By("Cleaning up BentoRequest resources") + // cmd = exec.Command("kubectl", "delete", "-f", "tests/e2e/example.yaml") + // _, _ = utils.Run(cmd) }) Context("BentoRequest Operator", func() {