Skip to content
This repository has been archived by the owner on Aug 12, 2024. It is now read-only.

Commit

Permalink
Pod Security
Browse files Browse the repository at this point in the history 
Change bundle unpack pod security settings to allow running in restricted namespaces. Change Dockerfile to use debug-nonroot image as builder only because we only need the cp binary from it.

Signed-off-by: dtfranz <[email protected]>
  • Loading branch information
@dtfranz
dtfranz committed May 3, 2024
1 parent 72cffe6 commit 2b5bb3b
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 7 deletions.
9 changes: 8 additions & 1 deletion Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,11 @@
FROM gcr.io/distroless/static:debug-nonroot
FROM gcr.io/distroless/static:debug-nonroot AS builder

# Stage 2:
FROM gcr.io/distroless/static:nonroot

# Grab the cp binary so we can cp the unpack
# binary to a shared volume in the bundle image
COPY --from=builder /busybox/cp /cp

WORKDIR /

Expand Down
10 changes: 4 additions & 6 deletions pkg/source/image.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,13 +138,12 @@ func (i *Image) getDesiredPodApplyConfig(bundle *rukpakv1alpha2.BundleDeployment
WithName("install-unpacker").
WithImage(i.UnpackImage).
WithImagePullPolicy(corev1.PullIfNotPresent).
WithCommand("cp", "-Rv", "/unpack", "/util/bin/unpack").
WithCommand("/cp", "-Rv", "/unpack", "/util/bin/unpack").
WithVolumeMounts(applyconfigurationcorev1.VolumeMount().
WithName("util").
WithMountPath("/util/bin"),
).
WithSecurityContext(containerSecurityContext).
WithTerminationMessagePolicy(corev1.TerminationMessageFallbackToLogsOnError),
WithSecurityContext(containerSecurityContext),
).
WithContainers(applyconfigurationcorev1.Container().
WithName(imageBundleUnpackContainerName).
Expand All @@ -154,15 +153,14 @@ func (i *Image) getDesiredPodApplyConfig(bundle *rukpakv1alpha2.BundleDeployment
WithName("util").
WithMountPath("/bin"),
).
WithSecurityContext(containerSecurityContext).
WithTerminationMessagePolicy(corev1.TerminationMessageFallbackToLogsOnError),
WithSecurityContext(containerSecurityContext.WithRunAsUser(1001)),
).
WithVolumes(applyconfigurationcorev1.Volume().
WithName("util").
WithEmptyDir(applyconfigurationcorev1.EmptyDirVolumeSource()),
).
WithSecurityContext(applyconfigurationcorev1.PodSecurityContext().
WithRunAsNonRoot(false).
WithRunAsNonRoot(true).
WithSeccompProfile(applyconfigurationcorev1.SeccompProfile().
WithType(corev1.SeccompProfileTypeRuntimeDefault),
),
Expand Down

0 comments on commit 2b5bb3b

Please sign in to comment.