diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 0a0ac9f..4ba4431 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -38,7 +38,7 @@ jobs: ./get_helm.sh #Install k3s - curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" sh -s - --docker + curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" INSTALL_K3S_VERSION="v1.24.4+k3s1" sh -s - --docker mkdir ~/.kube || echo "~/.kube already existed" sudo chmod 777 /etc/rancher/k3s/k3s.yaml diff --git a/.github/workflows/init_container.yaml b/.github/workflows/init_container.yaml index 828f1ce..0f6ae73 100644 --- a/.github/workflows/init_container.yaml +++ b/.github/workflows/init_container.yaml @@ -41,8 +41,9 @@ jobs: file: ./lightrun-init-agent/Dockerfile push: true tags: "lightruncom/k8s-operator-init-java-agent-linux:${{steps.set_tag.outputs.TAG_NAME}}" - build-args: | + secrets: | GITHUB_TOKEN=${{ secrets.PRETTY_GITHUB_READ_TOKEN }} + build-args: | VERSION=${{ inputs.release_tag }} FILE=agent.zip @@ -53,8 +54,9 @@ jobs: file: ./lightrun-init-agent/Dockerfile push: true tags: "lightruncom/k8s-operator-init-java-agent-alpine:${{steps.set_tag.outputs.TAG_NAME}}" - build-args: | + secrets: | GITHUB_TOKEN=${{ secrets.PRETTY_GITHUB_READ_TOKEN }} + build-args: | VERSION=${{ inputs.release_tag }} FILE=agent-alpine.zip \ No newline at end of file diff --git a/.github/workflows/tests_data/lightrunjavaagent.yaml b/.github/workflows/tests_data/lightrunjavaagent.yaml index 466556a..41f656e 100644 --- a/.github/workflows/tests_data/lightrunjavaagent.yaml +++ b/.github/workflows/tests_data/lightrunjavaagent.yaml @@ -4,7 +4,7 @@ metadata: name: sample spec: initContainer: - image: "lightruncom/k8s-operator-init-java-agent-linux:1.7.0-init.0" + image: "lightruncom/k8s-operator-init-java-agent-linux:1.8.5-init.1" sharedVolumeName: lightrun-agent-init sharedVolumeMountPath: "/lightrun" deploymentName: app diff --git a/controllers/patch_funcs.go b/controllers/patch_funcs.go index 5dac6dd..2424123 100644 --- a/controllers/patch_funcs.go +++ b/controllers/patch_funcs.go @@ -129,6 +129,18 @@ func (r *LightrunJavaAgentReconciler) addInitContainer(deploymentApplyConfig *ap corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)), }, ), + ). + WithSecurityContext( + corev1ac.SecurityContext(). + WithCapabilities( + corev1ac.Capabilities().WithDrop(corev1.Capability("ALL")), + ). + WithAllowPrivilegeEscalation(false). + WithRunAsNonRoot(true). + WithSeccompProfile( + corev1ac.SeccompProfile(). + WithType(corev1.SeccompProfileTypeRuntimeDefault), + ), ), ) } diff --git a/examples/deployment.yaml b/examples/deployment.yaml index ea7c99b..8030dba 100644 --- a/examples/deployment.yaml +++ b/examples/deployment.yaml @@ -20,8 +20,20 @@ spec: - name: JAVA_TOOL_OPTIONS value: -Djava.net.preferIPv4Stack=true image: lightruncom/operator-demo-app + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault # Second container will be not patched, as not mentioned in the custom resource - - name: busybox - image: busybox - command: ["/bin/sh", "-c", "--"] - args: ["while true; do sleep 30; done;"] + - name: non-patched-app + image: lightruncom/operator-demo-app + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/lightrun-init-agent/Dockerfile b/lightrun-init-agent/Dockerfile index ca36150..d7a4d4c 100644 --- a/lightrun-init-agent/Dockerfile +++ b/lightrun-init-agent/Dockerfile @@ -1,13 +1,13 @@ FROM --platform=linux/amd64 alpine:latest -ARG GITHUB_TOKEN ARG VERSION ARG FILE - RUN apk --no-cache add jq \ wget -RUN export REPO="lightrun-platform/athena"; \ +RUN --mount=type=secret,id=GITHUB_TOKEN \ + GITHUB_TOKEN=$(cat /run/secrets/GITHUB_TOKEN) \ + export REPO="lightrun-platform/athena"; \ # curl inside alpine can't properly forward cookies when downloading asset, hence wget wget -q --auth-no-challenge --header='Accept:application/octet-stream' \ https://$GITHUB_TOKEN:@api.github.com/repos/$REPO/releases/assets/`wget -q -O- --auth-no-challenge --header "Accept: application/vnd.github+json" https://$GITHUB_TOKEN:@api.github.com/repos/$REPO/releases | jq ". | map(select(.tag_name == \"$VERSION\"))[0].assets | map(select(.name == \"$FILE\"))[0].id"` \ @@ -17,7 +17,11 @@ RUN export REPO="lightrun-platform/athena"; \ rm -rf /tmp/agent.zip && \ # Erase default values sed -i.bak "s|com.lightrun.secret=.*|com.lightrun.secret=|" /agent/agent.config && rm /agent/agent.config.bak && \ - sed -i.bak "s|pinned_certs=.*|pinned_certs=|" /agent/agent.config && rm /agent/agent.config.bak + sed -i.bak "s|pinned_certs=.*|pinned_certs=|" /agent/agent.config && rm /agent/agent.config.bak && \ + # In openshift UID will be dynamic per project, hence chmo and not chown + chmod -R 777 /agent + +USER 1000 COPY lightrun-init-agent/update_config.sh /update_config.sh diff --git a/lightrun-init-agent/update_config.sh b/lightrun-init-agent/update_config.sh index 93cc011..c10aeec 100755 --- a/lightrun-init-agent/update_config.sh +++ b/lightrun-init-agent/update_config.sh @@ -24,5 +24,5 @@ echo "Set server and secrets" sed -i.bak "s|com.lightrun.server=.*|com.lightrun.server=https://$LIGHTRUN_SERVER|" /agent/agent.config && rm /agent/agent.config.bak sed -i.bak "s|com.lightrun.secret=.*|com.lightrun.secret=$LIGHTRUN_KEY|" /agent/agent.config && rm /agent/agent.config.bak sed -i.bak "s|pinned_certs=.*|pinned_certs=$PINNED_CERT|" /agent/agent.config && rm /agent/agent.config.bak -mv /agent /tmp/agent +cp -R /agent /tmp/agent echo "Finished"