Add securityContext to parsers and hooks

Author: J12934

hook-sdk/nodejs/Dockerfile

@@ -5,10 +5,10 @@ RUN npm ci --production
 
 FROM node:12-alpine
 ARG NODE_ENV
-RUN addgroup -S app && adduser app -S -G app
+RUN addgroup --system --gid 1001 app && adduser app --system --uid 1001 --ingroup app
 WORKDIR /home/app/hook-wrapper/
 COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/
 COPY --chown=app:app ./hook-wrapper.js ./hook-wrapper.js
-USER app
+USER 1001
 ENV NODE_ENV ${NODE_ENV:-production}
 ENTRYPOINT ["node", "/home/app/hook-wrapper/hook-wrapper.js"]

operator/controllers/execution/scans/hook_reconciler.go

@@ -362,6 +362,8 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook,
 	labels["experimental.securecodebox.io/hook-name"] = hook.Name
 
 	var backOffLimit int32 = 3
+	truePointer := true
+	falsePointer := false
 	job := &batch.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Annotations:  make(map[string]string),
@@ -399,6 +401,15 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook,
 									corev1.ResourceMemory: resource.MustParse("200Mi"),
 								},
 							},
+							SecurityContext: &corev1.SecurityContext{
+								RunAsNonRoot:             &truePointer,
+								AllowPrivilegeEscalation: &falsePointer,
+								ReadOnlyRootFilesystem:   &truePointer,
+								Privileged:               &falsePointer,
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"all"},
+								},
+							},
 						},
 					},
 				},

operator/controllers/execution/scans/parse_reconciler.go

@@ -80,6 +80,8 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 	labels["experimental.securecodebox.io/job-type"] = "parser"
 	automountServiceAccountToken := true
 	var backOffLimit int32 = 3
+	truePointer := true
+	falsePointer := false
 	job := &batch.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Annotations:  make(map[string]string),
@@ -133,6 +135,15 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 									corev1.ResourceMemory: resource.MustParse("200Mi"),
 								},
 							},
+							SecurityContext: &corev1.SecurityContext{
+								RunAsNonRoot:             &truePointer,
+								AllowPrivilegeEscalation: &falsePointer,
+								ReadOnlyRootFilesystem:   &truePointer,
+								Privileged:               &falsePointer,
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"all"},
+								},
+							},
 						},
 					},
 					AutomountServiceAccountToken: &automountServiceAccountToken,

parser-sdk/nodejs/Dockerfile

@@ -5,10 +5,10 @@ RUN npm ci --production
 
 FROM node:12-alpine
 ARG NODE_ENV
-RUN addgroup -S app && adduser app -S -G app
+RUN addgroup --system --gid 1001 app && adduser app --system --uid 1001 --ingroup app
 WORKDIR /home/app/parser-wrapper/
 COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/
 COPY --chown=app:app ./parser-wrapper.js ./parser-wrapper.js
-USER app
+USER 1001
 ENV NODE_ENV ${NODE_ENV:-production}
 ENTRYPOINT ["node", "/home/app/parser-wrapper/parser-wrapper.js"]