From 715f09f2d7c3a8d8b858141d6217fda1eb8c6986 Mon Sep 17 00:00:00 2001 From: Bryce Palmer Date: Wed, 15 Feb 2023 15:44:50 -0500 Subject: [PATCH 1/4] add images for scorecard untar and storage Signed-off-by: Bryce Palmer --- images/scorecard-storage/Dockerfile | 12 ++++++++++++ images/scorecard-untar/Dockerfile | 12 ++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 images/scorecard-storage/Dockerfile create mode 100644 images/scorecard-untar/Dockerfile diff --git a/images/scorecard-storage/Dockerfile b/images/scorecard-storage/Dockerfile new file mode 100644 index 00000000000..eae0c8882a2 --- /dev/null +++ b/images/scorecard-storage/Dockerfile @@ -0,0 +1,12 @@ +FROM docker.io/busybox:1.36 + +## Create a new non-root user to run as +ENV HOME=/opt/scorecard-untar \ + USER_NAME=scorecard-untar \ + USER_UID=1001 + +RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd + +WORKDIR ${HOME} + +USER ${USER_UID} \ No newline at end of file diff --git a/images/scorecard-untar/Dockerfile b/images/scorecard-untar/Dockerfile new file mode 100644 index 00000000000..a6f72053748 --- /dev/null +++ b/images/scorecard-untar/Dockerfile @@ -0,0 +1,12 @@ +FROM registry.access.redhat.com/ubi8:8.7 + +## Create a new non-root user to run as +ENV HOME=/opt/scorecard-untar \ + USER_NAME=scorecard-untar \ + USER_UID=1001 + +RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd + +WORKDIR ${HOME} + +USER ${USER_UID} From fe984e057590f3ef50f7189b6003200f827077df Mon Sep 17 00:00:00 2001 From: Bryce Palmer Date: Thu, 23 Feb 2023 16:22:11 -0500 Subject: [PATCH 2/4] Add new images for scorecard and use them as the default untar and storage images to ensure that scorecard pods are fully compliant with restricted PSA. This is done by making the images run as non-root by default (sets the user to non-root in the Dockerfile) fixes #6295 Signed-off-by: Bryce Palmer --- .github/workflows/deploy.yml | 2 +- Makefile | 2 +- internal/cmd/operator-sdk/scorecard/cmd.go | 4 ++-- internal/scorecard/scorecard.go | 2 -- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 338531881a2..fdf26617a18 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -72,7 +72,7 @@ jobs: environment: deploy strategy: matrix: - id: ["operator-sdk", "helm-operator", "scorecard-test", "ansible-operator", "ansible-operator-2.11-preview"] + id: ["operator-sdk", "helm-operator", "scorecard-test", "ansible-operator", "ansible-operator-2.11-preview", "scorecard-storage", "scorecard-untar"] steps: - name: set up qemu diff --git a/Makefile b/Makefile index 008ea2738d9..234e3372c4d 100644 --- a/Makefile +++ b/Makefile @@ -92,7 +92,7 @@ build/scorecard-test build/scorecard-test-kuttl build/custom-scorecard-tests: # Convenience wrapper for building all remotely hosted images. .PHONY: image-build -IMAGE_TARGET_LIST = operator-sdk helm-operator ansible-operator ansible-operator-2.11-preview scorecard-test scorecard-test-kuttl +IMAGE_TARGET_LIST = operator-sdk helm-operator ansible-operator ansible-operator-2.11-preview scorecard-test scorecard-test-kuttl scorecard-untar scorecard-storage image-build: $(foreach i,$(IMAGE_TARGET_LIST),image/$(i)) ## Build all images. # Convenience wrapper for building dependency base images. diff --git a/internal/cmd/operator-sdk/scorecard/cmd.go b/internal/cmd/operator-sdk/scorecard/cmd.go index 13b21138789..47cfdc369c9 100644 --- a/internal/cmd/operator-sdk/scorecard/cmd.go +++ b/internal/cmd/operator-sdk/scorecard/cmd.go @@ -91,10 +91,10 @@ If the argument holds an image tag, it must be present remotely.`, scorecardCmd.Flags().DurationVarP(&c.waitTime, "wait-time", "w", 30*time.Second, "seconds to wait for tests to complete. Example: 35s") scorecardCmd.Flags().StringVarP(&c.storageImage, "storage-image", "b", - "docker.io/library/busybox@sha256:c71cb4f7e8ececaffb34037c2637dc86820e4185100e18b4d02d613a9bd772af", + "docker.io/bpalmer/scorecard-storage:dev", "Storage image to be used by the Scorecard pod") scorecardCmd.Flags().StringVarP(&c.untarImage, "untar-image", "u", - "registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7", + "docker.io/bpalmer/scorecard-untar:dev", "Untar image to be used by the Scorecard pod") scorecardCmd.Flags().StringVarP(&c.testOutput, "test-output", "t", "test-output", "Test output directory.") diff --git a/internal/scorecard/scorecard.go b/internal/scorecard/scorecard.go index 82d739be17b..8656fbfda07 100644 --- a/internal/scorecard/scorecard.go +++ b/internal/scorecard/scorecard.go @@ -227,8 +227,6 @@ func (r PodTestRunner) RunTest(ctx context.Context, test v1alpha3.TestConfigurat // creating a pod security context to support running in default namespace podSecCtx := v1.PodSecurityContext{} podSecCtx.RunAsNonRoot = &podSec - podSecCtx.RunAsUser = &[]int64{1000}[0] - podSecCtx.RunAsGroup = &[]int64{1000}[0] podSecCtx.SeccompProfile = &v1.SeccompProfile{ Type: v1.SeccompProfileTypeRuntimeDefault, } From 4ce0939ba063632a7b1a4548b7ef7927437d4a17 Mon Sep 17 00:00:00 2001 From: Bryce Palmer Date: Thu, 23 Feb 2023 17:11:51 -0500 Subject: [PATCH 3/4] update images & docs;add changelog Signed-off-by: Bryce Palmer --- .../fragments/03-scorecard-image-psa.yaml | 18 ++++++++++++++++++ internal/cmd/operator-sdk/scorecard/cmd.go | 4 ++-- .../cmd/operator-sdk/scorecard/cmd_test.go | 4 ++-- .../en/docs/cli/operator-sdk_scorecard.md | 4 ++-- 4 files changed, 24 insertions(+), 6 deletions(-) create mode 100644 changelog/fragments/03-scorecard-image-psa.yaml diff --git a/changelog/fragments/03-scorecard-image-psa.yaml b/changelog/fragments/03-scorecard-image-psa.yaml new file mode 100644 index 00000000000..af142f529c9 --- /dev/null +++ b/changelog/fragments/03-scorecard-image-psa.yaml @@ -0,0 +1,18 @@ +# entries is a list of entries to include in +# release notes and/or the migration guide +entries: + - description: > + (scorecard): update default storage and untar images to images + that run as non-root users by default. This ensures full compliance + with restricted PSA guidelines when using `--pod-security=restricted`. + + # kind is one of: + # - addition + # - change + # - deprecation + # - removal + # - bugfix + kind: "bugfix" + + # Is this a breaking change? + breaking: false diff --git a/internal/cmd/operator-sdk/scorecard/cmd.go b/internal/cmd/operator-sdk/scorecard/cmd.go index 47cfdc369c9..7265ac4055a 100644 --- a/internal/cmd/operator-sdk/scorecard/cmd.go +++ b/internal/cmd/operator-sdk/scorecard/cmd.go @@ -91,10 +91,10 @@ If the argument holds an image tag, it must be present remotely.`, scorecardCmd.Flags().DurationVarP(&c.waitTime, "wait-time", "w", 30*time.Second, "seconds to wait for tests to complete. Example: 35s") scorecardCmd.Flags().StringVarP(&c.storageImage, "storage-image", "b", - "docker.io/bpalmer/scorecard-storage:dev", + "quay.io/operator-framework/scorecard-storage:latest", "Storage image to be used by the Scorecard pod") scorecardCmd.Flags().StringVarP(&c.untarImage, "untar-image", "u", - "docker.io/bpalmer/scorecard-untar:dev", + "quay.io/operator-framework/scorecard-untar:latest", "Untar image to be used by the Scorecard pod") scorecardCmd.Flags().StringVarP(&c.testOutput, "test-output", "t", "test-output", "Test output directory.") diff --git a/internal/cmd/operator-sdk/scorecard/cmd_test.go b/internal/cmd/operator-sdk/scorecard/cmd_test.go index 2fc5d83dab4..9f68f072f8e 100644 --- a/internal/cmd/operator-sdk/scorecard/cmd_test.go +++ b/internal/cmd/operator-sdk/scorecard/cmd_test.go @@ -69,12 +69,12 @@ var _ = Describe("Running the scorecard command", func() { flag = cmd.Flags().Lookup("storage-image") Expect(flag).NotTo(BeNil()) Expect(flag.Shorthand).To(Equal("b")) - Expect(flag.DefValue).To(Equal("docker.io/library/busybox@sha256:c71cb4f7e8ececaffb34037c2637dc86820e4185100e18b4d02d613a9bd772af")) + Expect(flag.DefValue).To(Equal("quay.io/operator-framework/scorecard-storage:latest")) flag = cmd.Flags().Lookup("untar-image") Expect(flag).NotTo(BeNil()) Expect(flag.Shorthand).To(Equal("u")) - Expect(flag.DefValue).To(Equal("registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7")) + Expect(flag.DefValue).To(Equal("quay.io/operator-framework/scorecard-untar:latest")) }) }) diff --git a/website/content/en/docs/cli/operator-sdk_scorecard.md b/website/content/en/docs/cli/operator-sdk_scorecard.md index 625b7e8f172..5b5e85ea0eb 100644 --- a/website/content/en/docs/cli/operator-sdk_scorecard.md +++ b/website/content/en/docs/cli/operator-sdk_scorecard.md @@ -28,9 +28,9 @@ operator-sdk scorecard [flags] -l, --selector string label selector to determine which tests are run -s, --service-account string Service account to use for tests (default "default") -x, --skip-cleanup Disable resource cleanup after tests are run - -b, --storage-image string Storage image to be used by the Scorecard pod (default "docker.io/library/busybox@sha256:c71cb4f7e8ececaffb34037c2637dc86820e4185100e18b4d02d613a9bd772af") + -b, --storage-image string Storage image to be used by the Scorecard pod (default "quay.io/operator-framework/scorecard-storage:latest") -t, --test-output string Test output directory. (default "test-output") - -u, --untar-image string Untar image to be used by the Scorecard pod (default "registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7") + -u, --untar-image string Untar image to be used by the Scorecard pod (default "quay.io/operator-framework/scorecard-untar:latest") -w, --wait-time duration seconds to wait for tests to complete. Example: 35s (default 30s) ``` From eaeaa67805e62025a89cc704f4c0d8db79d33295 Mon Sep 17 00:00:00 2001 From: Bryce Palmer Date: Tue, 28 Feb 2023 09:17:18 -0500 Subject: [PATCH 4/4] add missing newline Signed-off-by: Bryce Palmer --- images/scorecard-storage/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/images/scorecard-storage/Dockerfile b/images/scorecard-storage/Dockerfile index eae0c8882a2..d0a17eba198 100644 --- a/images/scorecard-storage/Dockerfile +++ b/images/scorecard-storage/Dockerfile @@ -9,4 +9,4 @@ RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" WORKDIR ${HOME} -USER ${USER_UID} \ No newline at end of file +USER ${USER_UID}