diff --git a/Dockerfile b/Dockerfile index 76bb668..0d9f4d5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,24 @@ -# latest base image without vulnerabilities -FROM python:3.7.4-alpine3.10 +FROM python:3.7.4-alpine3.10 AS builder COPY . /illuminatio COPY .git /illuminatio/.git WORKDIR /illuminatio -RUN apk add git && pip install . +RUN apk add --no-cache git && \ + adduser -S illuminatio -s /bin/nologin -u 1000 && \ + chmod 1777 /tmp + +RUN pip install --no-warn-script-location --user . && \ + chown -R illuminatio /root/.local + +# Final image +FROM python:3.7.4-alpine3.10 + +RUN adduser -S illuminatio -H -s /bin/nologin -u 1000 +USER 1000 + +COPY --from=builder /root/.local /home/illuminatio/.local +ENV PATH=/home/illuminatio/.local/bin:$PATH -CMD ["/bin/sh"] +ENTRYPOINT [ "illuminatio" ] diff --git a/README.md b/README.md index 907901c..fe6f01c 100644 --- a/README.md +++ b/README.md @@ -143,24 +143,23 @@ Commands: ## Docker Usage -Note: If you are using a minikube cluster make sure to use the following configuration: +Instead of installing the `illumnatio` cli on your machine you can also use our Docker image. +You will need to provide the `kubeconfig` to the container and probably some certificates: ```bash -minikube config set embed-certs true +docker run -ti -v ~/.kube:/home/illuminatio/.kube:ro inovex/illuminatio clean run ``` -Also make sure to pass the `--net=host` flag, otherwise your docker container will not be able to reach the VM hosting your cluster. +### Minikube -```bash -docker run -it --net=host -v ~/.kube:/root/.kube:ro inovex/illuminatio illuminatio clean run -``` - -For clusters on external machines you merely need the kubeconfig: +Minikube will store the certificates in the users home so we need to pass these to the container: ```bash -docker run -it -v ~/.kube:/root/.kube:ro inovex/illuminatio illuminatio clean run +docker run -ti -v "${HOME}/.minikube":"${HOME}/.minikube" -v "${HOME}/.kube:"/home/illuminatio/.kube:ro inovex/illuminatio clean run ``` +If the minikube VM is not reachable from your container try to pass the `--net=host` flag to the docker run command. + ## Compatibility illuminatio 1.1 was tested using: @@ -174,6 +173,18 @@ illuminatio 1.1 is confirmed to be working properly with the following kubernete - Google Kubernetes Engine, v1.12.8-gke.10 - kubeadm 1.15.0-00, kubernetes v1.15.2 +### PodSecurityPolicy + +If your cluster has the [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy) Admission Controller you must ensure that the illuminatio runner has the following rights to be created: + +- Wants to run as root +- Needs the `SYS_ADMIN` capability +- Needs `allowPrivilegeEscalation: true` +- Needs access to the `hostPath` for the network namespaces and the cri socket + +A `PodSecurityPolicy` granting these privileges needs to be bound to the `illuminatio-runner` `ServiceAccount` in the `illuminatio` namespace. +For more details look at the [illuminatio DaemonSet](src/illuminatio/manifests/containerd-daemonset.yaml) + ## References The logo was created by Pia Blum. diff --git a/illuminatio-runner.dockerfile b/illuminatio-runner.dockerfile index 5d60441..abf385a 100644 --- a/illuminatio-runner.dockerfile +++ b/illuminatio-runner.dockerfile @@ -1,4 +1,4 @@ -FROM python:3.7-alpine AS builder +FROM python:3.7.4-alpine3.10 AS builder RUN apk add --no-cache git alpine-sdk libffi-dev openssl-dev python3-dev && \ mkdir -p /wheels @@ -8,7 +8,7 @@ COPY ./requirements.txt /wheels/requirements.txt RUN pip3 wheel -r ./requirements.txt # Actual Runner image -FROM python:3.7-alpine +FROM python:3.7.4-alpine3.10 COPY --from=builder /wheels /wheels @@ -40,4 +40,4 @@ COPY src /src/app/src USER runner -ENTRYPOINT [ "illuminatio_runner" ] \ No newline at end of file +ENTRYPOINT [ "illuminatio_runner" ]