Skip to content

security hardening of service controllers #257

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jan 7, 2022
Merged

security hardening of service controllers #257

merged 3 commits into from
Jan 7, 2022

Conversation

@vijtrip2
Copy link
Contributor

@vijtrip2 vijtrip2 commented Jan 6, 2022

Issue #, if available: aws-controllers-k8s/community#1112

Description of changes:

  • Update base image to public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:2021-12-01-1638322424 and golang image to 1.17.5 for building controller images
  • Updated the deployment.yaml files to runAsUser 1000. This userId was selected as random.
  • Updated ACK runtime to v0.16.0
  • validated that controller runs correctly when executed as non root user
  • tested locally by running ecr-controller e2e tests
  • validated that there were no security vulnerabilities in generated image

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@ack-bot ack-bot requested a review from a-hilaly January 6, 2022 22:22
jaypipes
jaypipes reviewed Jan 6, 2022
View reviewed changes
jaypipes
jaypipes approved these changes Jan 6, 2022
View reviewed changes
Copy link
Collaborator

@jaypipes jaypipes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 from me, great work Vijay!

@vijtrip2
Copy link
Contributor Author

vijtrip2 commented Jan 6, 2022

note to reviewers: currently working on fixing the failing tests. These are mainly due to old go version/dependencies in test base images

RedbackThomson
RedbackThomson approved these changes Jan 7, 2022
View reviewed changes
Copy link
Contributor

@RedbackThomson RedbackThomson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome. Sweet.

@vijtrip2
Copy link
Contributor Author

vijtrip2 commented Jan 7, 2022

Possible fixes for the test failures are in this test-infra PR. aws-controllers-k8s/test-infra#170

@vijtrip2
Copy link
Contributor Author

vijtrip2 commented Jan 7, 2022

/retest

@RedbackThomson
Copy link
Contributor

RedbackThomson commented Jan 7, 2022

/lgtm

@ack-bot ack-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 7, 2022
@ack-bot
Copy link
Collaborator

ack-bot commented Jan 7, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jaypipes, RedbackThomson, vijtrip2

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [RedbackThomson,jaypipes,vijtrip2]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ack-bot ack-bot merged commit e8d1493 into aws-controllers-k8s:main Jan 7, 2022
@vijtrip2 vijtrip2 deleted the root-less-image branch January 7, 2022 18:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jaypipes jaypipes jaypipes approved these changes

@a-hilaly a-hilaly Awaiting requested review from a-hilaly

+1 more reviewer

@RedbackThomson RedbackThomson RedbackThomson approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@RedbackThomson RedbackThomson

Labels

approved lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vijtrip2 @RedbackThomson @ack-bot @jaypipes