run containers securely (except kaniko - GoogleContainerTools/kaniko#105

)

.github/workflows/push.yml

@@ -170,7 +170,7 @@ jobs:
             --tla-str 'imagePrefix=${{env.REGISTRY}}/${{env.IMAGE_PREFIX}}' \
             --tla-str 'buildNumber=${{env.VERSION}}.${{env.BUILD_NUMBER}}' \
             --tla-str 'namespace=${{env.NAMESPACE}}' \
-            --tla-str 'debug=false' \
+            --tla-str 'isProduction=true' \
             > ./build/jabos-manifests.yaml
           cp ./build/jabos-manifests.yaml ./build/input/jabos-manifests.yaml
 

Makefile

@@ -61,7 +61,7 @@ manifests: FORCE build_number
 		--tla-str 'imagePrefix=' \
 		--tla-str 'buildNumber=${BUILD_NUMBER}' \
 		--tla-str 'namespace=jabos' \
-		--tla-str 'debug=true' \
+		--tla-str 'isProduction=false' \
 		> build/manifests.yaml
 
 build: FORCE images manifests
@@ -77,9 +77,9 @@ deploy-examples: FORCE
 	kubectl apply -f ../jabos-examples-gitlab/simple-build.yaml
 
 un-deploy-examples: FORCE
-	kubectl delete -f ../jabos-examples/simple-build.yaml
-	kubectl delete -f ../jabos-examples-private/simple-build.yaml
-	kubectl delete -f ../jabos-examples-gitlab/simple-build.yaml
+	- kubectl delete -f ../jabos-examples/simple-build.yaml
+	- kubectl delete -f ../jabos-examples-private/simple-build.yaml
+	- kubectl delete -f ../jabos-examples-gitlab/simple-build.yaml
 
 service-port-forward: FORCE
 	parallel --linebuffer -j0 eval kubectl port-forward -n {} ::: "efk svc/efk-kibana 5601" "monitoring svc/kube-prometheus-stack-grafana 3000:80"

base-manifest-builder/Dockerfile

@@ -2,7 +2,7 @@ FROM alpine
 
 RUN apk add --update curl wget bash coreutils
 
-RUN adduser -s /bin/bash -S user
+RUN adduser -s /bin/bash -S user -u 1000
 
 RUN mkdir /build && chown user /build
 
@@ -11,6 +11,6 @@ RUN wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
 
 COPY ./build.sh /
 
-USER user
+USER 1000
 
 ENTRYPOINT ["/build.sh"]

docker-image-builder-init/Dockerfile

@@ -5,10 +5,10 @@ RUN apk add --update curl wget git bash
 RUN wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq &&\
   chmod +x /usr/bin/yq
 
-RUN adduser -s /bin/bash -S user
+RUN adduser -s /bin/bash -S user -u 1000
 
 COPY ./init.sh /
 
-USER user
+USER 1000
 
 ENTRYPOINT ["/init.sh"]

git-repository-updater/Dockerfile

@@ -7,15 +7,13 @@ USER root
 
 RUN apk add --update bc git openssh-client
 
-RUN mkdir /gitTemp && chown user /gitTemp
-
 RUN mkdir /home/user/.ssh &&\
   printf "Host *\n\tStrictHostKeyChecking no\n" >> /home/user/.ssh/config &&\
   touch /home/user/.ssh/known_hosts &&\
   chown user /home/user/.ssh/known_hosts
 
 COPY ./get_latest_commit.sh /
 
-USER user
+USER 1000
 
 ENTRYPOINT ["/get_latest_commit.sh"]

git-repository-updater/get_latest_commit.sh

@@ -32,12 +32,11 @@ curl -s -X POST "${JABOS_OPERATOR_URL}addMetric/gitRepositoryUpdaterStart" \
 source /kubectl-setup.sh
 
 if [ -n "${SSH_KEY}" ]; then
-  eval "$(ssh-agent -s)" >&2
-  echo "${SSH_PASSPHRASE}" | setsid ssh-add <(printf -- "${SSH_KEY}") >&2
+  eval "$(ssh-agent -s)"
+  echo "${SSH_PASSPHRASE}" | setsid ssh-add <(printf -- "${SSH_KEY}")
 fi
 
 git clone --bare --single-branch --depth 1 --branch ${BRANCH} ${URL} /gitTemp
-
 cd  /gitTemp
 LATEST_COMMIT=$(git log -n 1 --pretty=format:"%H" | head -n 1)
 

helm-template-manifest-builder/Dockerfile

@@ -12,4 +12,4 @@ RUN wget https://get.helm.sh/helm-v3.7.2-linux-amd64.tar.gz -O - | tar -xz && \
 
 COPY ./build.sh /
 
-USER user
+USER 1000

jsonnet-manifest-builder/Dockerfile

@@ -13,4 +13,4 @@ RUN wget https://github.com/google/go-jsonnet/releases/download/v0.17.0/go-jsonn
 
 COPY ./build.sh /
 
-USER user
+USER 1000

kubectl/Dockerfile

@@ -9,13 +9,13 @@ RUN \
 RUN wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq &&\
   chmod +x /usr/bin/yq
 
-RUN adduser -s /bin/bash -S user
+RUN adduser -s /bin/bash -S user -u 1000
 
 COPY ./kubectl-setup.sh /
 COPY ./kube-config.yaml /home/user/.kube/config
 
 RUN chown -R user /home/user
 
-USER user
+USER 1000
 
 ENTRYPOINT ["/setup.sh"]

kustomize-manifest-builder/Dockerfile

@@ -11,4 +11,4 @@ COPY --from=kustomize /app/kustomize /usr/bin/kustomize
 
 COPY ./build.sh /
 
-USER user
+USER 1000

manifests/DockerImage.jsonnet

@@ -1,4 +1,4 @@
-function(imagePrefix, buildNumber, namespace, debug) (
+function(imagePrefix, buildNumber, namespace, isProduction) (
   local kube = import './kube.libsonnet';
   kube.CRD(kind='DockerImage',
            singular='docker-image',

manifests/DockerImageController.jsonnet

@@ -1,4 +1,4 @@
-function(imagePrefix, buildNumber, namespace, debug) (
+function(imagePrefix, buildNumber, namespace, isProduction) (
   local kube = import './kube.libsonnet';
   local metacontroller = import './metacontroller.libsonnet';
   metacontroller.DecoratorController(namespace=namespace,

manifests/GitRepository.jsonnet

@@ -1,4 +1,4 @@
-function(imagePrefix, buildNumber, namespace, debug) (
+function(imagePrefix, buildNumber, namespace, isProduction) (
   local kube = import './kube.libsonnet';
   kube.CRD(kind='GitRepository',
            singular='git-repository',

manifests/GitRepositoryController.jsonnet

@@ -1,4 +1,4 @@
-function(imagePrefix, buildNumber, namespace, debug) (
+function(imagePrefix, buildNumber, namespace, isProduction) (
   local kube = import './kube.libsonnet';
   local metacontroller = import './metacontroller.libsonnet';
   metacontroller.DecoratorController(namespace=namespace,

manifests/GrafanaDashboards.jsonnet

@@ -1,4 +1,4 @@
-function(imagePrefix, buildNumber, namespace, debug) (
+function(imagePrefix, buildNumber, namespace, isProduction) (
   local grafanaDashboard = import './grafana-dashboard.libsonnet';
   local globals = import './globals.libsonnet';
   grafanaDashboard.GrafanaDashboard(name='grafana-dashboards', namespace=namespace, grafonnet={

manifests/HelmTemplateManifests.jsonnet

@@ -1,4 +1,4 @@
-function(imagePrefix, buildNumber, namespace, debug) (
+function(imagePrefix, buildNumber, namespace, isProduction) (
   local manifests = (import './manifests.libsonnet');
   manifests.CRD(
     description='`HelmTemplateManifest` objects define a folder with a [helm](https://helm.sh/) chart to deploy with `helm template`.',

manifests/HelmTemplateManifestsController.jsonnet

@@ -1,4 +1,4 @@
-function(imagePrefix, buildNumber, namespace, debug) (
+function(imagePrefix, buildNumber, namespace, isProduction) (
   local manifests = (import './manifests.libsonnet');
   manifests.Controller(namespace=namespace, name='helm-template')
 )

manifests/JsonnetManifests.jsonnet

@@ -1,4 +1,4 @@
-function(imagePrefix, buildNumber, namespace, debug) (
+function(imagePrefix, buildNumber, namespace, isProduction) (
   local manifests = (import './manifests.libsonnet');
   manifests.CRD(
     description='`JsonnetManifest` objects define a folder with [jsonnet](https://jsonnet.org/) based manifests to deploy.',

manifests/JsonnetManifestsController.jsonnet

@@ -1,4 +1,4 @@
-function(imagePrefix, buildNumber, namespace, debug) (
+function(imagePrefix, buildNumber, namespace, isProduction) (
   local manifests = (import './manifests.libsonnet');
   manifests.Controller(namespace=namespace, name='jsonnet')
 )

manifests/KustomizeManifests.jsonnet

@@ -1,4 +1,4 @@
-function(imagePrefix, buildNumber, namespace, debug) (
+function(imagePrefix, buildNumber, namespace, isProduction) (
   local manifests = (import './manifests.libsonnet');
   manifests.CRD(
     description='`KustomizeManifest` objects define a folder with [Kustomize](https://kustomize.io/) based manifests to deploy.',

manifests/KustomizeManifestsController.jsonnet

@@ -1,4 +1,4 @@
-function(imagePrefix, buildNumber, namespace, debug) (
+function(imagePrefix, buildNumber, namespace, isProduction) (
   local manifests = (import './manifests.libsonnet');
   manifests.Controller(namespace=namespace, name='kustomize')
 )

manifests/OperatorDeployment.jsonnet

@@ -1,4 +1,4 @@
-function(imagePrefix, buildNumber, namespace, debug) (
+function(imagePrefix, buildNumber, namespace, isProduction) (
   local kube = import './kube.libsonnet';
   local globals = import './globals.libsonnet';
   kube.Deployment(
@@ -7,7 +7,7 @@ function(imagePrefix, buildNumber, namespace, debug) (
     replicas=1,
     serviceAccountName='operator',
     containers=[
-      kube.Container(name='operator', image=imagePrefix + 'operator:' + buildNumber) +
+      kube.Container(name='operator', image=imagePrefix + 'operator:' + buildNumber, imagePullPolicy=(if isProduction == 'true' then 'Always' else 'IfNotPresent')) +
       {
         env+: [
           {
@@ -23,8 +23,8 @@ function(imagePrefix, buildNumber, namespace, debug) (
             value: buildNumber,
           },
           {
-            name: 'DEBUG',
-            value: debug,
+            name: 'IS_PRODUCTION',
+            value: isProduction,
           },
           {
             name: 'PROMETHEUS_METRIC_PREFIX',

manifests/OperatorService.jsonnet

@@ -1,4 +1,4 @@
-function(imagePrefix, buildNumber, namespace, debug) (
+function(imagePrefix, buildNumber, namespace, isProduction) (
   local kube = import './kube.libsonnet';
   local monitoring = import './monitoring.libsonnet';
   local globals = import './globals.libsonnet';

manifests/OperatorServiceAccount.jsonnet

@@ -1,4 +1,4 @@
-function(imagePrefix, buildNumber, namespace, debug) (
+function(imagePrefix, buildNumber, namespace, isProduction) (
   local kube = import './kube.libsonnet';
   local globals = import './globals.libsonnet';
   kube.ServiceAccount(namespace=namespace, name='operator')

manifests/PlainManifests.jsonnet

@@ -1,4 +1,4 @@
-function(imagePrefix, buildNumber, namespace, debug) (
+function(imagePrefix, buildNumber, namespace, isProduction) (
   local manifests = (import './manifests.libsonnet');
   manifests.CRD(
     description='`PlainManifest` objects define a folder with plain manifests to deploy (YAML/YML/JSON).',

manifests/PlainManifestsController.jsonnet

@@ -1,4 +1,4 @@
-function(imagePrefix, buildNumber, namespace, debug) (
+function(imagePrefix, buildNumber, namespace, isProduction) (
   local manifests = (import './manifests.libsonnet');
   manifests.Controller(namespace=namespace, name='plain')
 )

operator/Dockerfile

@@ -6,6 +6,6 @@ RUN npm install
 
 COPY . /app
 
-USER node
+USER 1000
 
 ENTRYPOINT ["./start.sh"]

operator/builderJob.ts

@@ -19,6 +19,32 @@ export default function (options: {
   metricLabels: {},
   labels: {}
 }) {
+  options.containers.forEach(container => {
+    container.imagePullPolicy = settings.imagePullPolicy();
+
+    container.securityContext = {
+      ...container.securityContext,
+      "readOnlyRootFilesystem": true,
+      "allowPrivilegeEscalation": false,
+      "runAsNonRoot": true,
+      "capabilities": {
+        "drop": ['ALL'],
+      },
+    };
+
+    container.volumeMounts = [
+      ...container.volumeMounts,
+      {
+        "name": "temp",
+        "mountPath": "/tmp",
+      },
+      {
+        "name": "build",
+        "mountPath": "/build",
+      }
+    ];
+  });
+
   return {
     "apiVersion": "batch/v1",
     "kind": "Job",
@@ -43,6 +69,9 @@ export default function (options: {
         "spec": {
           "serviceAccountName": options.serviceAccountName,
           "restartPolicy": "OnFailure",
+          "securityContext": {
+            "runAsNonRoot": true,
+          },
           "initContainers": [
             {
               "image": `${settings.imagePrefix()}pre-builder:${settings.buildNumber()}`,
@@ -67,7 +96,15 @@ export default function (options: {
                   }
                 }
               ])],
-              "imagePullPolicy": "IfNotPresent",
+              "imagePullPolicy": settings.imagePullPolicy(),
+              "securityContext": {
+                "readOnlyRootFilesystem": true,
+                "allowPrivilegeEscalation": false,
+                "runAsNonRoot": true,
+                "capabilities": {
+                  "drop": ['ALL'],
+                },
+              },
               "name": "pre-builder",
               "resources": {
                 "limits": {
@@ -84,6 +121,10 @@ export default function (options: {
                   "name": "git-temp",
                   "mountPath": "/gitTemp",
                 },
+                {
+                  "name": "temp",
+                  "mountPath": "/tmp",
+                },
                 {
                   "name": "timer",
                   "mountPath": "/timer",
@@ -102,9 +143,21 @@ export default function (options: {
                   "name": "timer",
                   "mountPath": "/timer",
                   "readOnly": true
+                },
+                {
+                  "name": "temp",
+                  "mountPath": "/tmp"
                 }
               ],
-              "imagePullPolicy": "IfNotPresent",
+              "imagePullPolicy": settings.imagePullPolicy(),
+              "securityContext": {
+                "readOnlyRootFilesystem": true,
+                "allowPrivilegeEscalation": false,
+                "runAsNonRoot": true,
+                "capabilities": {
+                  "drop": ['ALL'],
+                },
+              },
               "name": "post-builder",
               "resources": {
                 "limits": {
@@ -124,6 +177,14 @@ export default function (options: {
               "name": "git-temp",
               "emptyDir": {}
             },
+            {
+              "name": "temp",
+              "emptyDir": {}
+            },
+            {
+              "name": "build",
+              "emptyDir": {}
+            },
             {
               "name": "timer",
               "emptyDir": {}