init container RunAsNonRoot + securityContext (#4)

* init container RunAsNonRoot + securityContext

* add k3s ver due to install script issue
k3s-io/k3s#5528

* update init container in test pipeline

* replace busybox in test deployment (root user)

Author: Leonid Podolinskiy

.github/workflows/e2e.yaml

@@ -38,7 +38,7 @@ jobs:
         ./get_helm.sh
 
         #Install k3s
-        curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" sh -s - --docker
+        curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" INSTALL_K3S_VERSION="v1.24.4+k3s1" sh -s - --docker
 
         mkdir ~/.kube || echo "~/.kube already existed"
         sudo chmod 777 /etc/rancher/k3s/k3s.yaml

.github/workflows/init_container.yaml

@@ -41,8 +41,9 @@ jobs:
         file: ./lightrun-init-agent/Dockerfile
         push: true
         tags: "lightruncom/k8s-operator-init-java-agent-linux:${{steps.set_tag.outputs.TAG_NAME}}"
-        build-args: |
+        secrets: |
           GITHUB_TOKEN=${{ secrets.PRETTY_GITHUB_READ_TOKEN }}
+        build-args: |
           VERSION=${{ inputs.release_tag }}
           FILE=agent.zip
 
@@ -53,8 +54,9 @@ jobs:
         file: ./lightrun-init-agent/Dockerfile
         push: true
         tags: "lightruncom/k8s-operator-init-java-agent-alpine:${{steps.set_tag.outputs.TAG_NAME}}"
-        build-args: |
+        secrets: |
           GITHUB_TOKEN=${{ secrets.PRETTY_GITHUB_READ_TOKEN }}
+        build-args: |
           VERSION=${{ inputs.release_tag }}
           FILE=agent-alpine.zip
           

.github/workflows/tests_data/lightrunjavaagent.yaml

@@ -4,7 +4,7 @@ metadata:
   name: sample
 spec:
   initContainer:
-    image: "lightruncom/k8s-operator-init-java-agent-linux:1.7.0-init.0"
+    image: "lightruncom/k8s-operator-init-java-agent-linux:1.8.5-init.1"
     sharedVolumeName: lightrun-agent-init
     sharedVolumeMountPath: "/lightrun"
   deploymentName: app  

controllers/patch_funcs.go

@@ -129,6 +129,18 @@ func (r *LightrunJavaAgentReconciler) addInitContainer(deploymentApplyConfig *ap
 						corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
 					},
 				),
+			).
+			WithSecurityContext(
+				corev1ac.SecurityContext().
+					WithCapabilities(
+						corev1ac.Capabilities().WithDrop(corev1.Capability("ALL")),
+					).
+					WithAllowPrivilegeEscalation(false).
+					WithRunAsNonRoot(true).
+					WithSeccompProfile(
+						corev1ac.SeccompProfile().
+							WithType(corev1.SeccompProfileTypeRuntimeDefault),
+					),
 			),
 	)
 }

examples/deployment.yaml

@@ -20,8 +20,20 @@ spec:
             - name: JAVA_TOOL_OPTIONS
               value: -Djava.net.preferIPv4Stack=true
           image: lightruncom/operator-demo-app
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
         # Second container will be not patched, as not mentioned in the custom resource
-        - name: busybox
-          image: busybox
-          command: ["/bin/sh", "-c", "--"]
-          args: ["while true; do sleep 30; done;"]
+        - name: non-patched-app
+          image: lightruncom/operator-demo-app
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault

lightrun-init-agent/Dockerfile

@@ -1,13 +1,13 @@
 FROM --platform=linux/amd64 alpine:latest
 
-ARG GITHUB_TOKEN
 ARG VERSION 
 ARG FILE 
 
-
 RUN apk --no-cache add jq \
                        wget
-RUN export REPO="lightrun-platform/athena"; \
+RUN --mount=type=secret,id=GITHUB_TOKEN \
+    GITHUB_TOKEN=$(cat /run/secrets/GITHUB_TOKEN) \
+    export REPO="lightrun-platform/athena"; \
     # curl inside alpine can't properly forward cookies when downloading asset, hence wget
     wget -q --auth-no-challenge --header='Accept:application/octet-stream' \
     https://$GITHUB_TOKEN:@api.github.com/repos/$REPO/releases/assets/`wget -q -O- --auth-no-challenge --header "Accept: application/vnd.github+json"  https://$GITHUB_TOKEN:@api.github.com/repos/$REPO/releases | jq ". | map(select(.tag_name == \"$VERSION\"))[0].assets | map(select(.name == \"$FILE\"))[0].id"` \
@@ -17,7 +17,11 @@ RUN export REPO="lightrun-platform/athena"; \
     rm -rf /tmp/agent.zip && \
     # Erase default values
     sed -i.bak "s|com.lightrun.secret=.*|com.lightrun.secret=|" /agent/agent.config && rm /agent/agent.config.bak && \
-    sed -i.bak "s|pinned_certs=.*|pinned_certs=|" /agent/agent.config && rm /agent/agent.config.bak
+    sed -i.bak "s|pinned_certs=.*|pinned_certs=|" /agent/agent.config && rm /agent/agent.config.bak && \
+    # In openshift UID will be dynamic per project, hence chmo and not chown
+    chmod -R 777 /agent 
+
+USER 1000
 
 COPY lightrun-init-agent/update_config.sh /update_config.sh
 

lightrun-init-agent/update_config.sh

@@ -24,5 +24,5 @@ echo "Set server and secrets"
 sed -i.bak "s|com.lightrun.server=.*|com.lightrun.server=https://$LIGHTRUN_SERVER|" /agent/agent.config && rm /agent/agent.config.bak
 sed -i.bak "s|com.lightrun.secret=.*|com.lightrun.secret=$LIGHTRUN_KEY|" /agent/agent.config && rm /agent/agent.config.bak
 sed -i.bak "s|pinned_certs=.*|pinned_certs=$PINNED_CERT|" /agent/agent.config && rm /agent/agent.config.bak
-mv /agent /tmp/agent
+cp -R /agent /tmp/agent
 echo "Finished"