Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make etcd world-executable in Docker image #79722

Merged
merged 5 commits into from Aug 12, 2019

Conversation

@randomvariable
Copy link
Member

commented Jul 3, 2019

What type of PR is this?
/kind bug
/area security
/sig release
/sig cluster-lifecycle

What this PR does / why we need it:
Makes the etcd binaries in the Docker image world-executable, which allows consumers to drop running the image as root.

Which issue(s) this PR fixes:

Fixes #79720

Special notes for your reviewer:
Have added fixes to the Makefile to run on SELinux enabled systems.

Does this PR introduce a user-facing change?:

etcd Docker image can be run as non-root
@randomvariable

This comment has been minimized.

Copy link
Member Author

commented Jul 3, 2019

/assign @jpbetz

cluster/images/etcd/Dockerfile Outdated Show resolved Hide resolved
etcd: Ensure etcd binaries are world executable
Signed-off-by: Naadir Jeewa <jeewan@vmware.com>

@randomvariable randomvariable force-pushed the randomvariable:etcd-world-executable branch from fd124e0 to b3f2902 Jul 3, 2019

etcd: Allow Makefile to be used on SELinux systems
Adds check for SELinux and then adds the :z parameter to the volume
mounts in order to work on SELinux enabled systems such as Fedora.

Signed-off-by: Naadir Jeewa <jeewan@vmware.com>

@randomvariable randomvariable force-pushed the randomvariable:etcd-world-executable branch from dc48576 to 3783aa5 Jul 3, 2019

@@ -16,4 +16,6 @@ FROM BASEIMAGE

EXPOSE 2379 2380 4001 7001
COPY etcd* etcdctl* /usr/local/bin/
RUN chmod +x /usr/local/bin/etcd* /usr/local/bin/etcdctl*

This comment has been minimized.

Copy link
@BenTheElder

BenTheElder Jul 3, 2019

Member

one more minor suggestion: isn't the executable bit preserved by COPY? not using RUN makes cross building simpler, I wonder if we can just ensure +x on the host before copying.

This comment has been minimized.

Copy link
@randomvariable

randomvariable Jul 4, 2019

Author Member

Moved to using install in Makefile.

Note that chmod is used in /cluster/images/etcd-empty-dir-cleanup/Dockerfile which was not modified in this PR.

This comment has been minimized.

Copy link
@BenTheElder

BenTheElder Jul 8, 2019

Member

SGTM :-)

randomvariable added some commits Jul 3, 2019

etcd: Ensure etcd binaries are world executable
Signed-off-by: Naadir Jeewa <jeewan@vmware.com>

@k8s-ci-robot k8s-ci-robot added size/M and removed size/S labels Jul 4, 2019

etcd: Add comment re: SELinux
Signed-off-by: Naadir Jeewa <jeewan@vmware.com>
@dims

This comment has been minimized.

Copy link
Member

commented Jul 8, 2019

/uncc

@yliaog

This comment has been minimized.

Copy link
Contributor

commented Jul 8, 2019

/assign @wenjiaswe

@neolit123

This comment has been minimized.

Copy link
Member

commented Jul 8, 2019

/retest

@wenjiaswe

This comment has been minimized.

Copy link
Contributor

commented Jul 9, 2019

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm label Jul 9, 2019

@wenjiaswe

This comment has been minimized.

Copy link
Contributor

commented Jul 9, 2019

Defer to @jpbetz for approval.

@wenjiaswe

This comment has been minimized.

Copy link
Contributor

commented Jul 9, 2019

/assign @jpbetz

@yastij

This comment has been minimized.

Copy link
Member

commented Jul 12, 2019

/priority important-soon

@dims

This comment has been minimized.

Copy link
Member

commented Jul 12, 2019

/milestone v1.16

@k8s-ci-robot k8s-ci-robot added this to the v1.16 milestone Jul 12, 2019

@justaugustus

This comment has been minimized.

Copy link
Member

commented Jul 30, 2019

/lgtm
/approve

@justaugustus justaugustus added this to Review in progress in SIG Release Jul 30, 2019

@neolit123

This comment has been minimized.

Copy link
Member

commented Aug 12, 2019

bump
@jpbetz, PTAL for approval on this change when you have the time.

@jpbetz

This comment has been minimized.

Copy link
Contributor

commented Aug 12, 2019

/approve

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Aug 12, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jpbetz, justaugustus, randomvariable, wenjiaswe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 133f378 into kubernetes:master Aug 12, 2019

23 checks passed

cla/linuxfoundation randomvariable authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Job succeeded.
Details
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-csi-serial Skipped.
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gce-iscsi Skipped.
pull-kubernetes-e2e-gce-iscsi-serial Skipped.
pull-kubernetes-e2e-gce-storage-slow Skipped.
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-node-e2e-containerd Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details

SIG Release automation moved this from Review in progress to Done (1.16) Aug 12, 2019

@randomvariable randomvariable deleted the randomvariable:etcd-world-executable branch Aug 12, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.