Pod Security

Change bundle unpack pod security settings to allow running in restricted namespaces. Change Dockerfile to use debug-nonroot image as builder only because we only need the cp binary from it. Signed-off-by: dtfranz <[email protected]>
operator-framework · May 6, 2024 · b6c74d4 · b6c74d4
1 parent f2fc69e
commit b6c74d4
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,11 @@
-FROM gcr.io/distroless/static:debug-nonroot
+FROM gcr.io/distroless/static:debug-nonroot AS builder
+
+# Stage 2: 
+FROM gcr.io/distroless/static:nonroot
+
+# Grab the cp binary so we can cp the unpack
+# binary to a shared volume in the bundle image.
+COPY --from=builder /busybox/cp /busybox/ls /
 
 WORKDIR /
 

diff --git a/pkg/source/image.go b/pkg/source/image.go
@@ -138,7 +138,7 @@ func (i *Image) getDesiredPodApplyConfig(bundle *rukpakv1alpha2.BundleDeployment
 				WithName("install-unpacker").
 				WithImage(i.UnpackImage).
 				WithImagePullPolicy(corev1.PullIfNotPresent).
-				WithCommand("cp", "-Rv", "/unpack", "/util/bin/unpack").
+				WithCommand("/cp", "-Rv", "/unpack", "/util/bin/unpack").
 				WithVolumeMounts(applyconfigurationcorev1.VolumeMount().
 					WithName("util").
 					WithMountPath("/util/bin"),
@@ -154,15 +154,15 @@ func (i *Image) getDesiredPodApplyConfig(bundle *rukpakv1alpha2.BundleDeployment
 					WithName("util").
 					WithMountPath("/bin"),
 				).
-				WithSecurityContext(containerSecurityContext).
+				WithSecurityContext(containerSecurityContext.WithRunAsUser(1001)).
 				WithTerminationMessagePolicy(corev1.TerminationMessageFallbackToLogsOnError),
 			).
 			WithVolumes(applyconfigurationcorev1.Volume().
 				WithName("util").
 				WithEmptyDir(applyconfigurationcorev1.EmptyDirVolumeSource()),
 			).
 			WithSecurityContext(applyconfigurationcorev1.PodSecurityContext().
-				WithRunAsNonRoot(false).
+				WithRunAsNonRoot(true).
 				WithSeccompProfile(applyconfigurationcorev1.SeccompProfile().
 					WithType(corev1.SeccompProfileTypeRuntimeDefault),
 				),

diff --git a/test/e2e/plain_provisioner_test.go b/test/e2e/plain_provisioner_test.go
@@ -1443,7 +1443,7 @@ func checkProvisionerBundleDeployment(ctx context.Context, object client.Object,
 		SubResource("exec").
 		VersionedParams(&corev1.PodExecOptions{
 			Container: "manager",
-			Command:   []string{"ls", filepath.Join(storage.DefaultBundleCacheDir, fmt.Sprintf("%s.tgz", object.GetName()))},
+			Command:   []string{"/ls", filepath.Join(storage.DefaultBundleCacheDir, fmt.Sprintf("%s.tgz", object.GetName()))},
 			Stdin:     true,
 			Stdout:    true,
 			Stderr:    true,