(scorecard): Add new images for default untar and storage options (#6335

) * add images for scorecard untar and storage Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * Add new images for scorecard and use them as the default untar and storage images to ensure that scorecard pods are fully compliant with restricted PSA. This is done by making the images run as non-root by default (sets the user to non-root in the Dockerfile) fixes #6295 Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * update images & docs;add changelog Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * add missing newline Signed-off-by: Bryce Palmer <bpalmer@redhat.com> --------- Signed-off-by: Bryce Palmer <bpalmer@redhat.com>
operator-framework · Feb 28, 2023 · c57ebf9 · c57ebf9
1 parent e3c5dd8
commit c57ebf9
Show file tree

Hide file tree

Showing 9 changed files with 50 additions and 10 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -72,7 +72,7 @@ jobs:
     environment: deploy
     strategy:
       matrix:
-        id: ["operator-sdk", "helm-operator", "scorecard-test", "ansible-operator", "ansible-operator-2.11-preview"]
+        id: ["operator-sdk", "helm-operator", "scorecard-test", "ansible-operator", "ansible-operator-2.11-preview", "scorecard-storage", "scorecard-untar"]
     steps:
 
     - name: set up qemu

diff --git a/Makefile b/Makefile
@@ -92,7 +92,7 @@ build/scorecard-test build/scorecard-test-kuttl build/custom-scorecard-tests:
 
 # Convenience wrapper for building all remotely hosted images.
 .PHONY: image-build
-IMAGE_TARGET_LIST = operator-sdk helm-operator ansible-operator ansible-operator-2.11-preview scorecard-test scorecard-test-kuttl
+IMAGE_TARGET_LIST = operator-sdk helm-operator ansible-operator ansible-operator-2.11-preview scorecard-test scorecard-test-kuttl scorecard-untar scorecard-storage
 image-build: $(foreach i,$(IMAGE_TARGET_LIST),image/$(i)) ## Build all images.
 
 # Convenience wrapper for building dependency base images.

diff --git a/changelog/fragments/03-scorecard-image-psa.yaml b/changelog/fragments/03-scorecard-image-psa.yaml
@@ -0,0 +1,18 @@
+# entries is a list of entries to include in
+# release notes and/or the migration guide
+entries:
+  - description: >
+      (scorecard): update default storage and untar images to images
+      that run as non-root users by default. This ensures full compliance
+      with restricted PSA guidelines when using `--pod-security=restricted`.
+
+    # kind is one of:
+    # - addition
+    # - change
+    # - deprecation
+    # - removal
+    # - bugfix
+    kind: "bugfix"
+
+    # Is this a breaking change?
+    breaking: false
diff --git a/images/scorecard-storage/Dockerfile b/images/scorecard-storage/Dockerfile
@@ -0,0 +1,12 @@
+FROM docker.io/busybox:1.36
+
+## Create a new non-root user to run as
+ENV HOME=/opt/scorecard-untar \
+    USER_NAME=scorecard-untar \
+    USER_UID=1001
+
+RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd
+
+WORKDIR ${HOME}
+
+USER ${USER_UID}
diff --git a/images/scorecard-untar/Dockerfile b/images/scorecard-untar/Dockerfile
@@ -0,0 +1,12 @@
+FROM registry.access.redhat.com/ubi8:8.7
+
+## Create a new non-root user to run as
+ENV HOME=/opt/scorecard-untar \
+    USER_NAME=scorecard-untar \
+    USER_UID=1001
+
+RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd
+
+WORKDIR ${HOME}
+
+USER ${USER_UID}
diff --git a/internal/cmd/operator-sdk/scorecard/cmd.go b/internal/cmd/operator-sdk/scorecard/cmd.go
@@ -91,10 +91,10 @@ If the argument holds an image tag, it must be present remotely.`,
 	scorecardCmd.Flags().DurationVarP(&c.waitTime, "wait-time", "w", 30*time.Second,
 		"seconds to wait for tests to complete. Example: 35s")
 	scorecardCmd.Flags().StringVarP(&c.storageImage, "storage-image", "b",
-		"docker.io/library/busybox@sha256:c71cb4f7e8ececaffb34037c2637dc86820e4185100e18b4d02d613a9bd772af",
+		"quay.io/operator-framework/scorecard-storage:latest",
 		"Storage image to be used by the Scorecard pod")
 	scorecardCmd.Flags().StringVarP(&c.untarImage, "untar-image", "u",
-		"registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7",
+		"quay.io/operator-framework/scorecard-untar:latest",
 		"Untar image to be used by the Scorecard pod")
 	scorecardCmd.Flags().StringVarP(&c.testOutput, "test-output", "t", "test-output",
 		"Test output directory.")

diff --git a/internal/cmd/operator-sdk/scorecard/cmd_test.go b/internal/cmd/operator-sdk/scorecard/cmd_test.go
@@ -69,12 +69,12 @@ var _ = Describe("Running the scorecard command", func() {
 			flag = cmd.Flags().Lookup("storage-image")
 			Expect(flag).NotTo(BeNil())
 			Expect(flag.Shorthand).To(Equal("b"))
-			Expect(flag.DefValue).To(Equal("docker.io/library/busybox@sha256:c71cb4f7e8ececaffb34037c2637dc86820e4185100e18b4d02d613a9bd772af"))
+			Expect(flag.DefValue).To(Equal("quay.io/operator-framework/scorecard-storage:latest"))
 
 			flag = cmd.Flags().Lookup("untar-image")
 			Expect(flag).NotTo(BeNil())
 			Expect(flag.Shorthand).To(Equal("u"))
-			Expect(flag.DefValue).To(Equal("registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7"))
+			Expect(flag.DefValue).To(Equal("quay.io/operator-framework/scorecard-untar:latest"))
 		})
 	})
 

diff --git a/internal/scorecard/scorecard.go b/internal/scorecard/scorecard.go
@@ -227,8 +227,6 @@ func (r PodTestRunner) RunTest(ctx context.Context, test v1alpha3.TestConfigurat
 		// creating a pod security context to support running in default namespace
 		podSecCtx := v1.PodSecurityContext{}
 		podSecCtx.RunAsNonRoot = &podSec
-		podSecCtx.RunAsUser = &[]int64{1000}[0]
-		podSecCtx.RunAsGroup = &[]int64{1000}[0]
 		podSecCtx.SeccompProfile = &v1.SeccompProfile{
 			Type: v1.SeccompProfileTypeRuntimeDefault,
 		}

diff --git a/website/content/en/docs/cli/operator-sdk_scorecard.md b/website/content/en/docs/cli/operator-sdk_scorecard.md
@@ -28,9 +28,9 @@ operator-sdk scorecard [flags]
   -l, --selector string          label selector to determine which tests are run
   -s, --service-account string   Service account to use for tests (default "default")
   -x, --skip-cleanup             Disable resource cleanup after tests are run
-  -b, --storage-image string     Storage image to be used by the Scorecard pod (default "docker.io/library/busybox@sha256:c71cb4f7e8ececaffb34037c2637dc86820e4185100e18b4d02d613a9bd772af")
+  -b, --storage-image string     Storage image to be used by the Scorecard pod (default "quay.io/operator-framework/scorecard-storage:latest")
   -t, --test-output string       Test output directory. (default "test-output")
-  -u, --untar-image string       Untar image to be used by the Scorecard pod (default "registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7")
+  -u, --untar-image string       Untar image to be used by the Scorecard pod (default "quay.io/operator-framework/scorecard-untar:latest")
   -w, --wait-time duration       seconds to wait for tests to complete. Example: 35s (default 30s)
 ```