(scorecard): Add new images for default untar and storage options #6335

everettraven · 2023-02-23T21:29:03Z

Description of the change:

Adds new images definitions for building custom untar and storage images for scorecard that run as a non-root user by default
Updates defaults for the operator-sdk scorecard --storage-image and --untar-image options to use the new images so that scorecard pods are compliant with best practices for restricted PSA environments.
Updates the image build Makefile targets and GitHub actions to include building these images

Motivation for the change:

fixes [Scorecard] - Create images that run as a non-root user by default #6295

Checklist

If the pull request includes user-facing changes, extra documentation is required:

Add a new changelog fragment in changelog/fragments (see changelog/fragments/00-template.yaml)
Add or update relevant sections of the docs website in website/content/en/docs

Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

and use them as the default untar and storage images to ensure that scorecard pods are fully compliant with restricted PSA. This is done by making the images run as non-root by default (sets the user to non-root in the Dockerfile) fixes operator-framework#6295 Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

everettraven · 2023-02-23T21:29:58Z

Holding for a bit for conversations and reviews.

/hold

everettraven · 2023-02-23T21:37:04Z

@acornett21 or @theishshah Would you mind testing/taking a look at this? I tested this and everything looked good, but would like some further verification on this.

I tested this by doing the following:

Creating a KinD cluster:

kind create cluster

Creating a test namespace:

kubectl create ns scorecard-test-ns

Setting the namespace as restricted:

kubectl label --overwrite ns scorecard-test-ns pod-security.kubernetes.io/audit=restricted pod-security.kubernetes.io/enforce-version=v1.25 pod-security.kubernetes.io/warn=restricted

Running scorecard on a version of operator-sdk built from this PR:

operator-sdk scorecard --namespace scorecard-test-ns --pod-security=restricted bundle/

Note: The operator I tested with was from the testdata and is under testdata/go/v3/memcached-operator

internal/cmd/operator-sdk/scorecard/cmd.go

Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

acornett21 · 2023-02-23T22:17:52Z

@everettraven I can test this on Monday on OpenShift 4.12/4.13.

acornett21 · 2023-02-27T22:01:56Z

Tests Info Below for 4.12

oc version
Client Version: 4.8.11
Server Version: 4.12.3
Kubernetes Version: v1.25.4+a34b9e9

./operator-sdk scorecard --pod-security=restricted quay.io/opdev/simple-demo-operator-bundle:v0.0.6 --output json
{
  "kind": "TestList",
  "apiVersion": "scorecard.operatorframework.io/v1alpha3",
  "items": [
    {
      "kind": "Test",
      "apiVersion": "scorecard.operatorframework.io/v1alpha3",
      "spec": {
        "image": "quay.io/operator-framework/scorecard-test:v1.12.0",
        "entrypoint": [
          "scorecard-test",
          "olm-bundle-validation"
        ],
        "labels": {
          "suite": "olm",
          "test": "olm-bundle-validation-test"
        },
        "storage": {
          "spec": {
            "mountPath": {}
          }
        }
      },
...
./operator-sdk scorecard --pod-security=restricted quay.io/opdev/simple-demo-operator-bundle:v0.0.6 --output json --namespace scorecard-test
{
  "kind": "TestList",
  "apiVersion": "scorecard.operatorframework.io/v1alpha3",
  "items": [
    {
      "kind": "Test",
      "apiVersion": "scorecard.operatorframework.io/v1alpha3",
      "spec": {
        "image": "quay.io/operator-framework/scorecard-test:v1.12.0",
        "entrypoint": [
          "scorecard-test",
          "olm-status-descriptors"
        ],
        "labels": {
          "suite": "olm",
          "test": "olm-status-descriptors-test"
        },
        "storage": {
          "spec": {
            "mountPath": {}
          }
        }
      },
...

Tests for 4.13

 oc version
Client Version: 4.8.11
Server Version: 4.13.0-ec.3
Kubernetes Version: v1.26.0+9eb81c2

./operator-sdk scorecard --pod-security=restricted quay.io/opdev/simple-demo-operator-bundle:v0.0.6 --output json
{
  "kind": "TestList",
  "apiVersion": "scorecard.operatorframework.io/v1alpha3",
  "items": [
    {
      "kind": "Test",
      "apiVersion": "scorecard.operatorframework.io/v1alpha3",
      "spec": {
        "image": "quay.io/operator-framework/scorecard-test:v1.12.0",
        "entrypoint": [
          "scorecard-test",
          "basic-check-spec"
        ],
        "labels": {
          "suite": "basic",
          "test": "basic-check-spec-test"
        },
        "storage": {
          "spec": {
            "mountPath": {}
          }
        }
      },
...
./operator-sdk scorecard --pod-security=restricted quay.io/opdev/simple-demo-operator-bundle:v0.0.6 --output json
{
  "kind": "TestList",
  "apiVersion": "scorecard.operatorframework.io/v1alpha3",
  "items": [
    {
      "kind": "Test",
      "apiVersion": "scorecard.operatorframework.io/v1alpha3",
      "spec": {
        "image": "quay.io/operator-framework/scorecard-test:v1.12.0",
        "entrypoint": [
          "scorecard-test",
          "basic-check-spec"
        ],
        "labels": {
          "suite": "basic",
          "test": "basic-check-spec-test"
        },
        "storage": {
          "spec": {
            "mountPath": {}
          }
        }
      },

This looks good on both versions of OpenShift.

everettraven · 2023-02-28T13:56:57Z

@acornett21 Thanks for the verification!

/hold cancel

images/scorecard-storage/Dockerfile

Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

oceanc80 · 2023-02-28T14:30:04Z

/lgtm

rashmigottipati

/lgtm

grokspawn · 2023-02-28T15:43:13Z

/approve

…erator-framework#6335) * add images for scorecard untar and storage Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * Add new images for scorecard and use them as the default untar and storage images to ensure that scorecard pods are fully compliant with restricted PSA. This is done by making the images run as non-root by default (sets the user to non-root in the Dockerfile) fixes operator-framework#6295 Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * update images & docs;add changelog Signed-off-by: Bryce Palmer <bpalmer@redhat.com> * add missing newline Signed-off-by: Bryce Palmer <bpalmer@redhat.com> --------- Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

everettraven added 2 commits February 15, 2023 15:44

add images for scorecard untar and storage

715f09f

Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

openshift-ci bot requested review from anik120 and varshaprasad96 February 23, 2023 21:29

everettraven temporarily deployed to deploy February 23, 2023 21:29 — with GitHub Actions Inactive

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 23, 2023

everettraven commented Feb 23, 2023

View reviewed changes

internal/cmd/operator-sdk/scorecard/cmd.go Outdated Show resolved Hide resolved

everettraven commented Feb 23, 2023

View reviewed changes

internal/cmd/operator-sdk/scorecard/cmd.go Outdated Show resolved Hide resolved

update images & docs;add changelog

4ce0939

Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

everettraven temporarily deployed to deploy February 23, 2023 22:12 — with GitHub Actions Inactive

everettraven temporarily deployed to deploy February 23, 2023 22:13 — with GitHub Actions Inactive

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 28, 2023

acornett21 reviewed Feb 28, 2023

View reviewed changes

images/scorecard-storage/Dockerfile Outdated Show resolved Hide resolved

add missing newline

eaeaa67

Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

everettraven temporarily deployed to deploy February 28, 2023 14:18 — with GitHub Actions Inactive

everettraven temporarily deployed to deploy February 28, 2023 14:19 — with GitHub Actions Inactive

everettraven temporarily deployed to deploy February 28, 2023 14:20 — with GitHub Actions Inactive

openshift-ci bot assigned oceanc80 Feb 28, 2023

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 28, 2023

rashmigottipati approved these changes Feb 28, 2023

View reviewed changes

openshift-ci bot assigned rashmigottipati Feb 28, 2023

grokspawn added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 28, 2023

acornett21 approved these changes Feb 28, 2023

View reviewed changes

everettraven merged commit c57ebf9 into operator-framework:master Feb 28, 2023

tonyskapunk mentioned this pull request Apr 7, 2023

[scorecard] Default store and untar images using tags in a disconnected environment #6392

Closed

tkrishtop mentioned this pull request May 3, 2023

Operator-sdk 1.28.1 uses non-existing storage digest because the new release procedure rebuilds storage image #6417

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(scorecard): Add new images for default untar and storage options #6335

(scorecard): Add new images for default untar and storage options #6335

everettraven commented Feb 23, 2023

everettraven commented Feb 23, 2023 •

edited

Loading

everettraven commented Feb 23, 2023

acornett21 commented Feb 23, 2023

acornett21 commented Feb 27, 2023

everettraven commented Feb 28, 2023

oceanc80 commented Feb 28, 2023

rashmigottipati left a comment

grokspawn commented Feb 28, 2023

(scorecard): Add new images for default untar and storage options #6335

(scorecard): Add new images for default untar and storage options #6335

Conversation

everettraven commented Feb 23, 2023

everettraven commented Feb 23, 2023 • edited Loading

everettraven commented Feb 23, 2023

acornett21 commented Feb 23, 2023

acornett21 commented Feb 27, 2023

everettraven commented Feb 28, 2023

oceanc80 commented Feb 28, 2023

rashmigottipati left a comment

Choose a reason for hiding this comment

grokspawn commented Feb 28, 2023

everettraven commented Feb 23, 2023 •

edited

Loading