Skip to content
This repository has been archived by the owner on Jul 5, 2023. It is now read-only.

Add better docs for psp clusters #68

Merged
merged 5 commits into from
Sep 11, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 17 additions & 4 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,11 +1,24 @@
# latest base image without vulnerabilities
FROM python:3.7.4-alpine3.10
FROM python:3.7.4-alpine3.10 AS builder

COPY . /illuminatio
COPY .git /illuminatio/.git

WORKDIR /illuminatio

RUN apk add git && pip install .
RUN apk add --no-cache git && \
adduser -S illuminatio -s /bin/nologin -u 1000 && \
chmod 1777 /tmp

RUN pip install --no-warn-script-location --user . && \
chown -R illuminatio /root/.local

# Final image
FROM python:3.7.4-alpine3.10

RUN adduser -S illuminatio -H -s /bin/nologin -u 1000
USER 1000

COPY --from=builder /root/.local /home/illuminatio/.local
ENV PATH=/home/illuminatio/.local/bin:$PATH

CMD ["/bin/sh"]
ENTRYPOINT [ "illuminatio" ]
johscheuer marked this conversation as resolved.
Show resolved Hide resolved
29 changes: 20 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -143,24 +143,23 @@ Commands:

## Docker Usage

Note: If you are using a minikube cluster make sure to use the following configuration:
Instead of installing the `illumnatio` cli on your machine you can also use our Docker image.
You will need to provide the `kubeconfig` to the container and probably some certificates:

```bash
minikube config set embed-certs true
docker run -ti -v ~/.kube:/home/illuminatio/.kube:ro inovex/illuminatio clean run
```

Also make sure to pass the `--net=host` flag, otherwise your docker container will not be able to reach the VM hosting your cluster.
### Minikube

```bash
docker run -it --net=host -v ~/.kube:/root/.kube:ro inovex/illuminatio illuminatio clean run
```

For clusters on external machines you merely need the kubeconfig:
Minikube will store the certificates in the users home so we need to pass these to the container:

```bash
docker run -it -v ~/.kube:/root/.kube:ro inovex/illuminatio illuminatio clean run
docker run -ti -v "${HOME}/.minikube":"${HOME}/.minikube" -v "${HOME}/.kube:"/home/illuminatio/.kube:ro inovex/illuminatio clean run
```

If the minikube VM is not reachable from your container try to pass the `--net=host` flag to the docker run command.

## Compatibility

illuminatio 1.1 was tested using:
Expand All @@ -174,6 +173,18 @@ illuminatio 1.1 is confirmed to be working properly with the following kubernete
- Google Kubernetes Engine, v1.12.8-gke.10
- kubeadm 1.15.0-00, kubernetes v1.15.2

### PodSecurityPolicy

If your cluster has the [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy) Admission Controller you must ensure that the illuminatio runner has the following rights to be created:

- Wants to run as root
- Needs the `SYS_ADMIN` capability
- Needs `allowPrivilegeEscalation: true`
- Needs access to the `hostPath` for the network namespaces and the cri socket

A `PodSecurityPolicy` granting these privileges needs to be bound to the `illuminatio-runner` `ServiceAccount` in the `illuminatio` namespace.
For more details look at the [illuminatio DaemonSet](src/illuminatio/manifests/containerd-daemonset.yaml)
johscheuer marked this conversation as resolved.
Show resolved Hide resolved

## References

The logo was created by Pia Blum.
Expand Down
6 changes: 3 additions & 3 deletions illuminatio-runner.dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM python:3.7-alpine AS builder
FROM python:3.7.4-alpine3.10 AS builder

RUN apk add --no-cache git alpine-sdk libffi-dev openssl-dev python3-dev && \
mkdir -p /wheels
Expand All @@ -8,7 +8,7 @@ COPY ./requirements.txt /wheels/requirements.txt
RUN pip3 wheel -r ./requirements.txt

# Actual Runner image
FROM python:3.7-alpine
FROM python:3.7.4-alpine3.10

COPY --from=builder /wheels /wheels

Expand Down Expand Up @@ -40,4 +40,4 @@ COPY src /src/app/src

USER runner
johscheuer marked this conversation as resolved.
Show resolved Hide resolved

ENTRYPOINT [ "illuminatio_runner" ]
ENTRYPOINT [ "illuminatio_runner" ]