Skip to content

Commit

Permalink
Update: Run container as a non-root user (#154)
Browse files Browse the repository at this point in the history 
* Add yamllint config

* Update npm packages

* Set a security policy to run as the node user

* Update docker image build for non-root

* Discontinue use of npm-watch

* Fix resource yaml errors

* Limit volume mount permissions

* Update volume mount paths
  • Loading branch information
@adamkingit @alewitt2
adamkingit authored and alewitt2 committed Aug 10, 2020
1 parent 77b631c commit 281e70f
Show file tree
Hide file tree
Showing 10 changed files with 2,258 additions and 2,583 deletions.
1 change: 1 addition & 0 deletions .dockerignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,4 @@ test/
kubernetes/
.env/
testdata/
.*
2 changes: 1 addition & 1 deletion .travis.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
language: node_js
node_js:
- "11"
- "lts/*"

services:
- docker
Expand Down
8 changes: 8 additions & 0 deletions .yamllint
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
extends: relaxed

rules:
line-length:
max: 180
level: warning
empty-lines:
max: 1
24 changes: 13 additions & 11 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,22 +13,24 @@
# See the License for the specific language governing permissions and
# limitations under the License.
################################################################################
FROM node:alpine as buildImg
FROM node:lts-alpine as buildImg

RUN apk update
RUN apk --no-cache add gnupg python make curl

RUN mkdir -p /usr/src/app
ENV PATH="$PATH:/usr/src/app"
WORKDIR /usr/src/app
COPY . /usr/src/app
USER node
WORKDIR /home/node

COPY --chown=node . /home/node
RUN npm install --production --loglevel=warn
RUN node -v

#######################################
# Build the production image
FROM node:lts-alpine

USER node
WORKDIR /home/node

FROM node:alpine
RUN apk add --upgrade --no-cache libssl1.1
RUN mkdir -p /usr/src/app
ENV PATH="$PATH:/usr/src/app"
WORKDIR /usr/src/app
COPY --from=buildImg /usr/src/app /usr/src/app
COPY --chown=node --from=buildImg /home/node /home/node
CMD ["npm", "start"]
5 changes: 5 additions & 0 deletions build/process-template.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,11 @@ export TRAVIS_COMMIT
GIT_REMOTE="$(git remote get-url origin)"
export GIT_REMOTE

NODE_USER_ID="$(docker run -it node:lts-alpine /usr/bin/id -u node | tr -d '\r' | tr -d '\n')"
export NODE_USER_ID
NODE_GROUP_ID="$(docker run -it node:lts-alpine /usr/bin/id -g node | tr -d '\r' | tr -d '\n')"
export NODE_GROUP_ID

envsubst <"${THIS_DIR}/viewTemplate.json" >/tmp/view.json

npx mustache /tmp/view.json "${FILE}"
4 changes: 3 additions & 1 deletion build/viewTemplate.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
{
"TRAVIS_COMMIT": "${TRAVIS_COMMIT}",
"TRAVIS_TAG": "${TRAVIS_TAG}",
"GIT_REMOTE": "${GIT_REMOTE}"
"GIT_REMOTE": "${GIT_REMOTE}",
"NODE_USER_ID": "${NODE_USER_ID}",
"NODE_GROUP_ID": "${NODE_GROUP_ID}"
}
36 changes: 18 additions & 18 deletions kubernetes/watch-keeper/rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ kind: List
metadata:
name: watch-keeper-deployment
annotations:
version: "{{TRAVIS_COMMIT}}"
version: "{{{TRAVIS_COMMIT}}}"
type: array
items:
- apiVersion: v1
Expand All @@ -15,24 +15,24 @@ items:
deploy.razee.io/Reconcile: "false"
annotations:
razee.io/git-repo: "{{{GIT_REMOTE}}}"
razee.io/commit-sha: "{{TRAVIS_COMMIT}}"
razee.io/commit-sha: "{{{TRAVIS_COMMIT}}}"

- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-reader
annotations:
razee.io/git-repo: "{{{GIT_REMOTE}}}"
razee.io/commit-sha: "{{TRAVIS_COMMIT}}"
razee.io/commit-sha: "{{{TRAVIS_COMMIT}}}"
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs: ["get", "list", "watch"]
- nonResourceURLs:
- '*'
verbs: ["get", "list", "watch"]
- apiGroups:
- '*'
resources:
- '*'
verbs: ["get", "list", "watch"]
- nonResourceURLs:
- '*'
verbs: ["get", "list", "watch"]

- apiVersion: v1
kind: ServiceAccount
Expand All @@ -41,23 +41,23 @@ items:
namespace: razee
annotations:
razee.io/git-repo: "{{{GIT_REMOTE}}}"
razee.io/commit-sha: "{{TRAVIS_COMMIT}}"
razee.io/commit-sha: "{{{TRAVIS_COMMIT}}}"

- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: watch-keeper-rb
annotations:
razee.io/git-repo: "{{{GIT_REMOTE}}}"
razee.io/commit-sha: "{{TRAVIS_COMMIT}}"
razee.io/commit-sha: "{{{TRAVIS_COMMIT}}}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reader
subjects:
- kind: ServiceAccount
name: watch-keeper-sa
namespace: razee
- kind: ServiceAccount
name: watch-keeper-sa
namespace: razee

- kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
Expand All @@ -66,11 +66,11 @@ items:
namespace: razee
annotations:
razee.io/git-repo: "{{{GIT_REMOTE}}}"
razee.io/commit-sha: "{{TRAVIS_COMMIT}}"
razee.io/commit-sha: "{{{TRAVIS_COMMIT}}}"
spec:
podSelector:
matchLabels:
app: watch-keeper
policyTypes:
- Ingress
- Ingress
ingress: []
89 changes: 47 additions & 42 deletions kubernetes/watch-keeper/resource.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
version: "{{TRAVIS_COMMIT}}"
version: "{{{TRAVIS_COMMIT}}}"
razee.io/git-repo: "{{{GIT_REMOTE}}}"
razee.io/commit-sha: "{{TRAVIS_COMMIT}}"
razee.io/commit-sha: "{{{TRAVIS_COMMIT}}}"
name: watch-keeper
labels:
razee/watch-resource: "lite"
Expand All @@ -24,47 +24,52 @@ spec:
name: watch-keeper
spec:
serviceAccountName: watch-keeper-sa
securityContext:
runAsUser: {{{NODE_USER_ID}}}
runAsGroup: {{{NODE_GROUP_ID}}}
fsGroup: {{{NODE_GROUP_ID}}}
containers:
- env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_ENV
value: "production"
- name: KUBECONFIG
valueFrom:
configMapKeyRef:
name: watch-keeper-config
key: KUBECONFIG
optional: true
image: "quay.io/razee/watch-keeper:{{TRAVIS_TAG}}"
imagePullPolicy: Always
name: watch-keeper
resources:
limits:
memory: 500Mi
cpu: 400m
requests:
memory: 100Mi
cpu: 50m
livenessProbe:
exec:
command:
- sh/liveness.sh
initialDelaySeconds: 600
periodSeconds: 300
timeoutSeconds: 30
failureThreshold: 1
volumeMounts:
- name: watch-keeper-config
mountPath: /usr/src/app/envs/watch-keeper-config
- name: watch-keeper-secret
mountPath: /usr/src/app/envs/watch-keeper-secret
- name: razee-identity-config
mountPath: /usr/src/app/envs/razee-identity-config
- name: razee-identity-secret
mountPath: /usr/src/app/envs/razee-identity-secret
- env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_ENV
value: "production"
- name: KUBECONFIG
valueFrom:
configMapKeyRef:
name: watch-keeper-config
key: KUBECONFIG
optional: true
image: "quay.io/razee/watch-keeper:{{{TRAVIS_TAG}}}"
imagePullPolicy: Always
name: watch-keeper
resources:
limits:
memory: 500Mi
cpu: 400m
requests:
memory: 100Mi
cpu: 50m
livenessProbe:
exec:
command:
- sh/liveness.sh
initialDelaySeconds: 600
periodSeconds: 300
timeoutSeconds: 30
failureThreshold: 1
successThreshold: 1
volumeMounts:
- name: watch-keeper-config
mountPath: /home/node/envs/watch-keeper-config
- name: watch-keeper-secret
mountPath: /home/node/envs/watch-keeper-secret
- name: razee-identity-config
mountPath: /home/node/envs/razee-identity-config
- name: razee-identity-secret
mountPath: /home/node/envs/razee-identity-secret
volumes:
- name: watch-keeper-config
configMap:
Expand Down
Loading

0 comments on commit 281e70f

Please sign in to comment.