[Scorecard] - Create images that run as a non-root user by default #6295

everettraven · 2023-02-07T20:13:49Z

Feature Request

Describe the problem you need a feature to resolve.

The operator-sdk scorecard command recently got a new flag (--pod-security) to enable restricted pod security configurations on Scorecard test pods. Currently, Scorecard defaults to an untar image that runs as a root user:

operator-sdk/internal/cmd/operator-sdk/scorecard/cmd.go

Lines 96 to 98 in 5cbdad9

    
           scorecardCmd.Flags().StringVarP(&c.untarImage, "untar-image", "u", 
        
           	"registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7", 
        
           	"Untar image to be used by the Scorecard pod")

This results in PSA failures due to the container running as a root user instead of a non-root user when --pod-security=restricted

Describe the solution you'd like.

Audit all default images used by Scorecard pods and make changes as needed to ensure that the images we are using will run as a non-root user by default.

The text was updated successfully, but these errors were encountered:

and use them as the default untar and storage images to ensure that scorecard pods are fully compliant with restricted PSA. This is done by making the images run as non-root by default (sets the user to non-root in the Dockerfile) fixes operator-framework#6295 Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

) * add images for scorecard untar and storage Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * Add new images for scorecard and use them as the default untar and storage images to ensure that scorecard pods are fully compliant with restricted PSA. This is done by making the images run as non-root by default (sets the user to non-root in the Dockerfile) fixes #6295 Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * update images & docs;add changelog Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * add missing newline Signed-off-by: Bryce Palmer <bpalmer@redhat.com> --------- Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

…erator-framework#6335) * add images for scorecard untar and storage Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * Add new images for scorecard and use them as the default untar and storage images to ensure that scorecard pods are fully compliant with restricted PSA. This is done by making the images run as non-root by default (sets the user to non-root in the Dockerfile) fixes operator-framework#6295 Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * update images & docs;add changelog Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * add missing newline Signed-off-by: Bryce Palmer <bpalmer@redhat.com> --------- Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

everettraven added the scorecard Issue relates to the scorecard subcomponent label Feb 7, 2023

jberkhahn assigned everettraven Feb 13, 2023

jberkhahn added this to the v1.29.0 milestone Feb 13, 2023

everettraven mentioned this issue Feb 23, 2023

(scorecard): Add new images for default untar and storage options #6335

Merged

2 tasks

everettraven closed this as completed in #6335 Feb 28, 2023

varshaprasad96 modified the milestones: v1.29.0, v1.28.0 Mar 29, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Scorecard] - Create images that run as a non-root user by default #6295

[Scorecard] - Create images that run as a non-root user by default #6295

everettraven commented Feb 7, 2023

[Scorecard] - Create images that run as a non-root user by default #6295

[Scorecard] - Create images that run as a non-root user by default #6295

Comments

everettraven commented Feb 7, 2023

Feature Request

Describe the problem you need a feature to resolve.

Describe the solution you'd like.