Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure Akri's Helm templates use the most restrictive settings suggested by Snyk report #547

Merged
merged 19 commits into from
Feb 23, 2023
Merged

Ensure Akri's Helm templates use the most restrictive settings suggested by Snyk report #547

merged 19 commits into from
Feb 23, 2023

Conversation

harrison-tin
Copy link
Collaborator

What this PR does / why we need it:
This PR explicitly sets more SecurityContext rather than using default in the helm templates, using Akri's Snyk report for guidance. The templates changed are:

  1. agent: added more securityContext
  2. controller: added more securityContext
  3. anomaly-detection-app: added more securityContext and resource limits
  4. video-streaming-app: added more securityContext and resource limits

Special notes for your reviewer:

If applicable:

  • this PR has an associated PR with documentation in akri-docs
  • this PR contains unit tests
  • added code adheres to standard Rust formatting (cargo fmt)
  • code builds properly (cargo build)
  • code is free of common mistakes (cargo clippy)
  • all Akri tests succeed (cargo test)
  • inline documentation builds (cargo doc)
  • all commits pass the DCO bot check by being signed off -- see the failing DCO check for instructions on how to retroactively sign commits

harrison-tin and others added 9 commits November 15, 2022 16:45
@harrison-tin
added extra casting for opc plc demo
de12210 
Signed-off-by: Harrison Tin <harrisontin@microsoft.com>
@github-actions
Update patch version
0fa7c46 
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@harrison-tin
Merge remote-tracking branch 'upstream/main'
eb3b1ba
@github-actions
Update patch version
9f9d2a2 
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@harrison-tin
update helm settings suggested by Snyk
931e43a 
Signed-off-by: Harrison Tin <harrisontin@microsoft.com>
@harrison-tin
merge upstream, more helm settings
a4272a4 
Signed-off-by: Harrison Tin <harrisontin@microsoft.com>
@harrison-tin
more helm settings
6b0d252 
Signed-off-by: Harrison Tin <harrisontin@microsoft.com>
@harrison-tin
agent requires running as root
dcd6f93 
Signed-off-by: Harrison Tin <harrisontin@microsoft.com>
@harrison-tin
fix merge issue
46a6709 
Signed-off-by: Harrison Tin <harrisontin@microsoft.com>
kate-goldenring
kate-goldenring requested changes Dec 31, 2022
View reviewed changes
Copy link
Contributor

@kate-goldenring kate-goldenring left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to open up the Agent as it needs privileged access. This requires running this workflow locally and inspecting kubelet logs for errors journalctl -fu kubelet

deployment/samples/akri-anomaly-detection-app.yaml Outdated Show resolved Hide resolved
deployment/helm/values.yaml Show resolved Hide resolved
jbpaux
jbpaux reviewed Jan 2, 2023
View reviewed changes
deployment/helm/values.yaml Outdated
# ensures container doesn't run with unnecessary priviledges
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests are failing because tests are writing a file in the agent pod:

akri/test/run-end-to-end.py

Line 106 in 47b4258

os.system('sudo {} exec -i {} -- /bin/sh -c "echo "OFFLINE" > /tmp/debug-echo-availability.txt"'.format(kubectl_cmd, shared_test_code.agent_pod_name))

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point! Maybe we add that file as a volume mount for the Pod during the test

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated the securityContext and removed readOnlyRootFilesystem

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure i understand how this was resolved. Looks like readOnlyRootFilesystem: true still exists which is ideal.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the above highlight is outdated? Here shows the updated security context for akri agent. I removed setting readOnlyRootFilesystem to true (followed what nvidia gpu device plugin did)

@harrison-tin
remove resource limit for sample
ff87b69 
Signed-off-by: Harrison Tin <harrisontin@microsoft.com>
@harrison-tin
revert change on agent's priviledges
3fae9b6 
Signed-off-by: Harrison Tin <harrisontin@microsoft.com>
@harrison-tin
Merge branch 'main' of https://github.com/project-akri/akri into main
66c2063
@harrison-tin
Merge branch 'main' into helm-settings
c32a5f3
@harrison-tin
change agent security context to follow nvidia gpu device plugin
c2a4459 
Signed-off-by: harrison <harrisontin@microsoft.com>
@harrison-tin
version patch
c87e5ce 
Signed-off-by: harrison <harrisontin@microsoft.com>
@harrison-tin
update version
12679c5 
Signed-off-by: harrisontin <harrisontin@microsoft.com>
@harrison-tin
remove resource limit for samples
b4ffc1c 
Signed-off-by: harrisontin <harrisontin@microsoft.com>
kate-goldenring
kate-goldenring approved these changes Feb 23, 2023
View reviewed changes
Copy link
Contributor

@kate-goldenring kate-goldenring left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for putting this together! We may want to do a round two at some point with the discovery handlers. If you pull in the latest from main, tests should pass. We may need to bump version depending on whether this goes in before #556

@harrison-tin harrison-tin merged commit c423c6e into project-akri:main Feb 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jbpaux jbpaux jbpaux left review comments

@kate-goldenring kate-goldenring kate-goldenring approved these changes

@bfjelds bfjelds Awaiting requested review from bfjelds bfjelds is a code owner

@jiria jiria Awaiting requested review from jiria jiria is a code owner

@Britel Britel Awaiting requested review from Britel Britel is a code owner

@romoh romoh Awaiting requested review from romoh romoh is a code owner

@adithyaj adithyaj Awaiting requested review from adithyaj adithyaj is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@harrison-tin @jbpaux @kate-goldenring