Add PSA Flag to Scorecard #6187
Conversation
Signed-off-by: Ish Shah <ishah@redhat.com>
Signed-off-by: Ish Shah <ishah@redhat.com>
Signed-off-by: Ish Shah <ishah@redhat.com>
Signed-off-by: Ish Shah <ishah@redhat.com>
| podSecFlag := true | ||
| if c.podSecurity == "resticted" { | ||
| podSecFlag = true | ||
| } else if c.podSecurity == "legacy" { | ||
| podSecFlag = false | ||
| } | ||
|
|
There was a problem hiding this comment.
A nit/typo:
| podSecFlag := true | |
| if c.podSecurity == "resticted" { | |
| podSecFlag = true | |
| } else if c.podSecurity == "legacy" { | |
| podSecFlag = false | |
| } | |
| podSecFlag := true | |
| if c.podSecurity == "restricted" { | |
| podSecFlag = true | |
| } else if c.podSecurity == "legacy" { | |
| podSecFlag = false | |
| } | |
As an aside, since we are processing this as a boolean, would it be easier to just make this a boolean flag rather than a string flag? Maybe something like --enable-psa? This way we don't have to do any if statements like this where we are processing a string into a boolean.
There was a problem hiding this comment.
Somehow I missed this. No it should not be treated as a boolean. It should match what we're doing in run bundle. #6062 we treat it as an enum to match what is in operator-framework/api.
There was a problem hiding this comment.
Would it be possible for the scorecard implementation to import and use the same logic that was created for operator-sdk run bundle?
I'm fine to leave this as is if we are happy with it, but it would be nice to be using the same tooling/logic in all places we want this kind of functionality rather than having slightly different methods for each implementation.
There was a problem hiding this comment.
It might be possible, just seems weird. We would likely want to move the enum stuff out of run bundle into a common area so that it can be used by both sides: scorecard & run bundle.
|
|
||
| // Create a Pod to run the test | ||
| podDef := getPodDefinition(r.configMapName, test, r) | ||
| if podSec { | ||
| secCtx := v1.PodSecurityContext{} |
There was a problem hiding this comment.
In my testing, a bit more than this was necessary.
There was a problem hiding this comment.
He's adding the Seccompprofile
// SecurityContext: &corev1.PodSecurityContext{
// SeccompProfile: &corev1.SeccompProfile{
// Type: corev1.SeccompProfileTypeRuntimeDefault,
// },
That's what we ended up adding to the run bundle command. You shouldn't have to add the runuser to it.
There was a problem hiding this comment.
When I was testing my patch, the 'scorecard-untar' init container needed the RunAsUser (the RunAsGroup may not be necessary, but I put it in there for completeness). This is needed because this container utilizes UBI directly, and UBI does not specify a user. Hence, the untar will not run. Here is the error message:
Warning Failed 4s (x2 over 4s) kubelet Error: container has runAsNonRoot and image will run as root (pod: "scorecard-test-tw6p_default(dba24b81-7d41-4941-9b4f-946e2a15a079)", container: scorecard-untar)
This is from running kubectl describe pod scorecard-test-xxxx with this patch. That's why the timeout is occurring in the e2e test. This is consistent with what I saw when testing before I put in the RunAsUser.
There was a problem hiding this comment.
Maybe we should consider creating and pushing a custom image that will run as a non-root user by default?
There was a problem hiding this comment.
@bcrochet I discussed with @everettraven and you are correct with the RunUser. The reason I didn't have to do it with run bundle was the index images have the proper userids. So +1 to adding your changes to this PR.
There was a problem hiding this comment.
Maybe we should consider creating and pushing a custom image that will run as a non-root user by default?
My first thought was "why bother?" but then I had the thought that it might not be a bad idea to do that, and have it be based on ubi(8|9):latest so that it is kept up-to-date on every release of operator-sdk.
There was a problem hiding this comment.
My first thought was "why bother?" but then I had the thought that it might not be a bad idea to do that, and have it be based on ubi(8|9):latest so that it is kept up-to-date on every release of operator-sdk.
My only reason for suggesting this was because I believe that there is a problem when setting RunAsUser on OpenShift >= 4.11.
There is this note in the sample pod security manifest in the Operator SDK Pod Security Standards docs:
# WARNING: Ensure that the image used defines an UserID in the Dockerfile
# otherwise the Pod will not run and will fail with `container has runAsNonRoot and image has non-numeric user`.
# If you want your workloads admitted in namespaces enforced with the restricted mode in OpenShift/OKD vendors
# then, you MUST ensure that the Dockerfile defines a User ID OR you MUST leave the `RunAsNonRoot` and
# RunAsUser fields empty.
Creating the custom container image that can be used by default would allow the default logic to always work without specifying RunAsUser which, as far as I understand, should make the default logic work on any cluster.
There was a problem hiding this comment.
The "why bother?" was more about just one more asset to have to track. I'm totally on board with doing it though. I think it makes a lot of sense once I took a step back and thought about it.
There was a problem hiding this comment.
@theishshah was there ever any decision on the direction to go in regards to creating a new container image for scorecard that will run as a non root user within the container?
|
@theishshah @everettraven why is this PR still here? This should've been done a while ago. What's holding it up? |
Honestly not sure. I'm on vacation for the next 2 weeks but if this PR is still hanging out when I get back I'll try to move this along. |
laxmikantbpandhare
had a problem deploying
to
deploy
GitHub Actions
Error
laxmikantbpandhare
had a problem deploying
to
deploy
GitHub Actions
Error
laxmikantbpandhare
had a problem deploying
to
deploy
GitHub Actions
Error
laxmikantbpandhare
had a problem deploying
to
deploy
GitHub Actions
Failure
laxmikantbpandhare
had a problem deploying
to
deploy
GitHub Actions
Error
laxmikantbpandhare
temporarily deployed
to
deploy
GitHub Actions
Inactive
laxmikantbpandhare
temporarily deployed
to
deploy
GitHub Actions
Inactive
laxmikantbpandhare
temporarily deployed
to
deploy
GitHub Actions
Inactive
laxmikantbpandhare
had a problem deploying
to
deploy
GitHub Actions
Error
laxmikantbpandhare
had a problem deploying
to
deploy
GitHub Actions
Error
laxmikantbpandhare
temporarily deployed
to
deploy
GitHub Actions
Inactive
laxmikantbpandhare
had a problem deploying
to
deploy
GitHub Actions
Error
laxmikantbpandhare
had a problem deploying
to
deploy
GitHub Actions
Error
laxmikantbpandhare
temporarily deployed
to
deploy
GitHub Actions
Inactive
sanity errors fix
laxmikantbpandhare
temporarily deployed
to
deploy
GitHub Actions
Inactive
laxmikantbpandhare
temporarily deployed
to
deploy
GitHub Actions
Inactive
laxmikantbpandhare
temporarily deployed
to
deploy
GitHub Actions
Inactive
laxmikantbpandhare
temporarily deployed
to
deploy
GitHub Actions
Inactive
laxmikantbpandhare
temporarily deployed
to
deploy
GitHub Actions
Inactive
laxmikantbpandhare
temporarily deployed
to
deploy
GitHub Actions
Inactive
laxmikantbpandhare
temporarily deployed
to
deploy
GitHub Actions
Inactive
@everettraven - Yes, I updated the website content for the ScoreCard. |
|
Closes #5939 |
|
👏🏽 👏🏽 👏🏽 |
Add PSA Flag to Scorecard