Setup user on docker image to run it as no root

[camilamacedo86]

What:

• Setup user on docker image to run it as rootless

Motivation:

• OSDK->KB: Non Root Images #883
• https://jira.coreos.com/browse/OSDK-473

Steps performed to check it locally

$ cd upimage/
$ kubebuilder init --domain up.image
$ kubebuilder create api --group kubeimage --version v1 --kind TestImg
$ make
$ oc login -u system:admin
$ make install
$ make docker-build docker-push IMG=cmacedo/upimage:test
$ make deploy IMG=cmacedo/upimage:test

Checked that it worked in Minishift/OCP as well.

[DirectXMan12]

there seem to be a bunch of unrelated changes, plus some shell scripts, which definitely won't work in the static image. Can you clarify a bit what's going on here?

[mengqiy]

I do not know why it is not passing in 1 of the tests. See here.

The change probably breaks the v2 e2e test.

[DirectXMan12]

yep, that's my suspicion as well. this needs to be overhauled re: my comment before we move forward

[camilamacedo86]

Hi @DirectXMan12 and @mengqiy,

The error faced in the test is when it tries to delete the certificates.certmanager.k8s.io and show that it has been not found. However, has NOT any error in the step where it is applied and I cannot see what in this change could affect it. See here that the error in the uninstalling cert manager bundle in this line of code.

Also, if I understood properly this file shows inject by the webhooks and it is not added in the scaffold project by default.

Could you give me a hand to understand why the change here which is very small now still breaking the 1 of the tests?

[mengqiy]

kubectl -n e2e-xdvj-system apply -f config/samples/barxdvj_v1alpha1_fooxdvj.yaml failed with error: Error from server (InternalError): error when creating "config/samples/barxdvj_v1alpha1_fooxdvj.yaml": Internal error occurred: failed calling webhook "mfooxdvj.kb.io": Post https://e2e-xdvj-webhook-service.e2e-xdvj-system.svc:443/mutate-barxdvj-example-comxdvj-v1alpha1-fooxdvj?timeout=30s: dial tcp 10.96.220.66:443: connect: connection refused

It seems apiserver can't talk to the webhook. Let me take a closer look.

[mengqiy]

2019-09-17T18:45:06.408Z ERROR setup problem running manager {"error": "listen tcp :443: bind: permission denied"}

After looking at the container log, it seems it no longer have permissions to bind to 443, which is the default port for webhook.

[mengqiy]

To fix this issue, you will need to change the scaffolding of

• main.go: set Port in manager.Options.
• config/default/manager_webhook_patch.yaml: change containerPort.
• config/webhook/service.yaml: change targetPort.

[DirectXMan12]

ah, yeah. non-root and privileged ports and all that.

[mengqiy]

Please don't change anything related to kubebuilder v1.
e.g. testdata/gopath/project-v1 and pkg/scaffold/v1

[camilamacedo86]

Hi @mengqiy,

Really tks for your help with. It is done as you suggested but the same issue still been faced. See here. It still trying to connect in the 433 port which is not allowed to the user.

[mengqiy]

Please also update testdata/project-v2/main.go.
We have a test to ensure /testdata director is always up-to-date. But it seems it's broken now. We will fix that. @DirectXMan12
It should not block you.

Other pieces LGTM. Please squash commits.

[camilamacedo86]

Hi @mengqiy,

Shows that all requests are done. Really tks for the help, to tell how to solve the test issue and time spend in the review.

[mengqiy]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: camilamacedo86, mengqiy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mengqiy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment