run as non-root by default (#294)

freeznet · web-flow · commit 65dd146c8d0e · 2021-11-08T09:25:15.000+08:00
* run as non-root by default

* fix CI

* fix format

* fix

* set cap_fowner

* more logs

* more logs

* fix user in runner

* enable tmate to debug

* apply tmate for debug

* fix UID &amp; GID

* cleanup

* cleanup
diff --git a/.ci/helm.sh b/.ci/helm.sh
@@ -138,6 +138,7 @@ function ci::verify_function_mesh() {
       WC=$(${KUBECTL} get pods -lname=${FUNCTION_NAME} --field-selector=status.phase=Running | wc -l)
     done
     ${KUBECTL} describe pod -lname=${FUNCTION_NAME}
+    ${KUBECTL} logs -lname=${FUNCTION_NAME}  --all-containers=true
 }
 
 function ci::verify_hpa() {
diff --git a/controllers/spec/common.go b/controllers/spec/common.go
@@ -57,10 +57,10 @@ const (
 
 	EnvGoFunctionConfigs = "GO_FUNCTION_CONF"
 
-	DefaultRunnerUserID  = "10001"
-	DefaultRunnerUser    = "pulsar"
-	DefaultRunnerGroupID = "10000"
-	DefaultRunnerGroup   = "pulsar"
+	DefaultRunnerUserID  int64 = 10000
+	DefaultRunnerUser          = "pulsar"
+	DefaultRunnerGroupID int64 = 10001
+	DefaultRunnerGroup         = "pulsar"
 )
 
 var GRPCPort = corev1.ContainerPort{
@@ -136,6 +136,10 @@ func MakeStatefulSetSpec(replicas *int32, container *corev1.Container,
 
 func MakePodTemplate(container *corev1.Container, volumes []corev1.Volume,
 	labels map[string]string, policy v1alpha1.PodPolicy) *corev1.PodTemplateSpec {
+	podSecurityContext := getDefaultRunnerPodSecurityContext(DefaultRunnerUserID, DefaultRunnerGroupID, false)
+	if policy.SecurityContext != nil {
+		podSecurityContext = policy.SecurityContext
+	}
 	return &corev1.PodTemplateSpec{
 		ObjectMeta: metav1.ObjectMeta{
 			Labels:      mergeLabels(labels, policy.Labels),
@@ -149,7 +153,7 @@ func MakePodTemplate(container *corev1.Container, volumes []corev1.Volume,
 			NodeSelector:                  policy.NodeSelector,
 			Affinity:                      policy.Affinity,
 			Tolerations:                   policy.Tolerations,
-			SecurityContext:               policy.SecurityContext,
+			SecurityContext:               podSecurityContext,
 			ImagePullSecrets:              policy.ImagePullSecrets,
 			ServiceAccountName:            policy.ServiceAccountName,
 		},
@@ -382,6 +386,9 @@ func getProcessGoRuntimeArgs(goExecFilePath string, function *v1alpha1.Function)
 		"&&",
 		"echo goFunctionConfigs=\"'${goFunctionConfigs}'\"",
 		"&&",
+		"ls -l",
+		goExecFilePath,
+		"&&",
 		"chmod +x",
 		goExecFilePath,
 		"&&",
@@ -655,6 +662,16 @@ func getSourceRunnerImage(spec *v1alpha1.SourceSpec) string {
 	return DefaultRunnerImage
 }
 
+// getDefaultRunnerPodSecurityContext returns a default PodSecurityContext that runs as non-root
+func getDefaultRunnerPodSecurityContext(uid, gid int64, nonRoot bool) *corev1.PodSecurityContext {
+	return &corev1.PodSecurityContext{
+		RunAsUser:    &uid,
+		RunAsGroup:   &gid,
+		RunAsNonRoot: &nonRoot,
+		FSGroup:      &gid,
+	}
+}
+
 func getJavaSecretProviderArgs(secretMaps map[string]v1alpha1.SecretRef) []string {
 	var ret []string
 	if len(secretMaps) > 0 {
diff --git a/controllers/spec/common_test.go b/controllers/spec/common_test.go
@@ -186,8 +186,9 @@ func TestMakeGoFunctionCommand(t *testing.T) {
 	assert.True(t, strings.HasPrefix(innerCommands[2], " GO_FUNCTION_CONF"))
 	assert.Equal(t, innerCommands[3], " goFunctionConfigs=${GO_FUNCTION_CONF} ")
 	assert.Equal(t, innerCommands[4], " echo goFunctionConfigs=\"'${goFunctionConfigs}'\" ")
-	assert.Equal(t, innerCommands[5], " chmod +x /pulsar/go-func ")
-	assert.Equal(t, innerCommands[6], " exec /pulsar/go-func -instance-conf ${goFunctionConfigs}")
+	assert.Equal(t, innerCommands[5], " ls -l /pulsar/go-func ")
+	assert.Equal(t, innerCommands[6], " chmod +x /pulsar/go-func ")
+	assert.Equal(t, innerCommands[7], " exec /pulsar/go-func -instance-conf ${goFunctionConfigs}")
 }
 
 const TestClusterName string = "test-pulsar"
diff --git a/controllers/spec/function.go b/controllers/spec/function.go
@@ -96,6 +96,9 @@ func MakeFunctionContainer(function *v1alpha1.Function) *corev1.Container {
 		ImagePullPolicy: imagePullPolicy,
 		EnvFrom:         generateContainerEnvFrom(function.Spec.Pulsar.PulsarConfig, function.Spec.Pulsar.AuthSecret, function.Spec.Pulsar.TLSSecret),
 		VolumeMounts:    makeFunctionVolumeMounts(function),
+		SecurityContext: &corev1.SecurityContext{
+			Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"CAP_FOWNER"}},
+		},
 	}
 }
 
diff --git a/controllers/spec/sink.go b/controllers/spec/sink.go
@@ -85,6 +85,9 @@ func MakeSinkContainer(sink *v1alpha1.Sink) *corev1.Container {
 		ImagePullPolicy: imagePullPolicy,
 		EnvFrom:         generateContainerEnvFrom(sink.Spec.Pulsar.PulsarConfig, sink.Spec.Pulsar.AuthSecret, sink.Spec.Pulsar.TLSSecret),
 		VolumeMounts:    makeSinkVolumeMounts(sink),
+		SecurityContext: &corev1.SecurityContext{
+			Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"CAP_FOWNER"}},
+		},
 	}
 }
 
diff --git a/controllers/spec/source.go b/controllers/spec/source.go
@@ -80,6 +80,9 @@ func MakeSourceContainer(source *v1alpha1.Source) *corev1.Container {
 		ImagePullPolicy: imagePullPolicy,
 		EnvFrom:         generateContainerEnvFrom(source.Spec.Pulsar.PulsarConfig, source.Spec.Pulsar.AuthSecret, source.Spec.Pulsar.TLSSecret),
 		VolumeMounts:    makeSourceVolumeMounts(source),
+		SecurityContext: &corev1.SecurityContext{
+			Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"CAP_FOWNER"}},
+		},
 	}
 }
 
diff --git a/images/pulsar-functions-base-runner/Dockerfile b/images/pulsar-functions-base-runner/Dockerfile
@@ -5,8 +5,9 @@ FROM ubuntu:20.04 as functions-runner
 
 ENV GID=10001
 ENV UID=10000
+ENV USER=pulsar
 RUN groupadd -g $GID pulsar
-RUN adduser -u $UID --gid $GID --disabled-login --disabled-password --gecos '' pulsar
+RUN adduser -u $UID --gid $GID --disabled-login --disabled-password --gecos '' $USER
 
 RUN mkdir -p /pulsar/bin/ \
     && mkdir -p /pulsar/lib/ \
diff --git a/images/pulsar-functions-go-runner/Dockerfile b/images/pulsar-functions-go-runner/Dockerfile
@@ -2,4 +2,4 @@ FROM pulsar-functions-runner-base:latest
 
 WORKDIR /pulsar
 
-USER $UID
+USER $USER
diff --git a/images/pulsar-functions-java-runner/Dockerfile b/images/pulsar-functions-java-runner/Dockerfile
@@ -8,4 +8,4 @@ COPY --from=pulsar --chown=$UID:$GID /pulsar/instances/deps /pulsar/instances/de
 
 WORKDIR /pulsar
 
-USER $UID
+USER $USER
diff --git a/images/pulsar-functions-python-runner/Dockerfile b/images/pulsar-functions-python-runner/Dockerfile
@@ -34,4 +34,4 @@ WORKDIR /pulsar
 RUN if [ -f "/pulsar/bin/install-pulsar-client-37.sh" ]; then /pulsar/bin/install-pulsar-client-37.sh ; fi
 RUN if [ -f "/pulsar/bin/install-pulsar-client.sh" ]; then /pulsar/bin/install-pulsar-client.sh ; fi
 
-USER $UID
+USER $USER

Original file line number	Diff line number	Diff line change
`@@ -138,6 +138,7 @@ function ci::verify_function_mesh() {`
`138`	`138`	`WC=$(${KUBECTL} get pods -lname=${FUNCTION_NAME} --field-selector=status.phase=Running \| wc -l)`
`139`	`139`	`done`
`140`	`140`	`${KUBECTL} describe pod -lname=${FUNCTION_NAME}`
	`141`	`+ ${KUBECTL} logs -lname=${FUNCTION_NAME} --all-containers=true`
`141`	`142`	`}`
`142`	`143`
`143`	`144`	`function ci::verify_hpa() {`
Original file line number	Diff line number	Diff line change
`@@ -96,6 +96,9 @@ func MakeFunctionContainer(function v1alpha1.Function) corev1.Container {`
`96`	`96`	`ImagePullPolicy: imagePullPolicy,`
`97`	`97`	`EnvFrom: generateContainerEnvFrom(function.Spec.Pulsar.PulsarConfig, function.Spec.Pulsar.AuthSecret, function.Spec.Pulsar.TLSSecret),`
`98`	`98`	`VolumeMounts: makeFunctionVolumeMounts(function),`
	`99`	`+ SecurityContext: &corev1.SecurityContext{`
	`100`	`+ Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"CAP_FOWNER"}},`
	`101`	`+ },`
`99`	`102`	`}`
`100`	`103`	`}`
`101`	`104`
Original file line number	Diff line number	Diff line change
`@@ -85,6 +85,9 @@ func MakeSinkContainer(sink v1alpha1.Sink) corev1.Container {`
`85`	`85`	`ImagePullPolicy: imagePullPolicy,`
`86`	`86`	`EnvFrom: generateContainerEnvFrom(sink.Spec.Pulsar.PulsarConfig, sink.Spec.Pulsar.AuthSecret, sink.Spec.Pulsar.TLSSecret),`
`87`	`87`	`VolumeMounts: makeSinkVolumeMounts(sink),`
	`88`	`+ SecurityContext: &corev1.SecurityContext{`
	`89`	`+ Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"CAP_FOWNER"}},`
	`90`	`+ },`
`88`	`91`	`}`
`89`	`92`	`}`
`90`	`93`
Original file line number	Diff line number	Diff line change
`@@ -80,6 +80,9 @@ func MakeSourceContainer(source v1alpha1.Source) corev1.Container {`
`80`	`80`	`ImagePullPolicy: imagePullPolicy,`
`81`	`81`	`EnvFrom: generateContainerEnvFrom(source.Spec.Pulsar.PulsarConfig, source.Spec.Pulsar.AuthSecret, source.Spec.Pulsar.TLSSecret),`
`82`	`82`	`VolumeMounts: makeSourceVolumeMounts(source),`
	`83`	`+ SecurityContext: &corev1.SecurityContext{`
	`84`	`+ Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"CAP_FOWNER"}},`
	`85`	`+ },`
`83`	`86`	`}`
`84`	`87`	`}`
`85`	`88`
Original file line number	Diff line number	Diff line change
`@@ -2,4 +2,4 @@ FROM pulsar-functions-runner-base:latest`
`2`	`2`
`3`	`3`	`WORKDIR /pulsar`
`4`	`4`
`5`		`-USER $UID`
	`5`	`+USER $USER`
Original file line number	Diff line number	Diff line change
`@@ -8,4 +8,4 @@ COPY --from=pulsar --chown=$UID:$GID /pulsar/instances/deps /pulsar/instances/de`
`8`	`8`
`9`	`9`	`WORKDIR /pulsar`
`10`	`10`
`11`		`-USER $UID`
	`11`	`+USER $USER`