You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by pc...@apache.org on 2023/05/24 07:42:14 UTC
[camel-k] branch main updated: feat(core): Fix Operator and Builder Pod user as non root 1000
This is an automated email from the ASF dual-hosted git repository.
pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git
The following commit(s) were added to refs/heads/main by this push:
new 827202632 feat(core): Fix Operator and Builder Pod user as non root 1000
827202632 is described below
commit 8272026321f79a8bedfdacf357c806210338888c
Author: Gaelle Fournier <ga...@gmail.com>
AuthorDate: Tue May 23 18:10:35 2023 +0200
feat(core): Fix Operator and Builder Pod user as non root 1000
* Dockerfile : sets the group for folders used for dependencies is 1000
* Force 1000 as User ID/ Group ID/FS Group ID to be coherent with the one declared in Dockerfile
* Use 1000 on volume to ensure dependencies from camel-k-runtime can be added
---
build/Dockerfile | 6 ++++--
pkg/controller/build/build_pod.go | 8 +++++---
pkg/install/operator.go | 8 ++++++++
3 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/build/Dockerfile b/build/Dockerfile
index 3b3aeb882..6dfd82949 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -35,7 +35,7 @@ RUN tar -xC ${MVNW_DIR} -f ${MVNW_DIR}mvnw.tar \
# Used by mvnw to download maven dist into it
ENV MAVEN_USER_HOME="${MAVEN_HOME}"
# Install a default mvnw distribution at build time and prepare the config for formatting log
-RUN ${MVNW_DIR}/mvnw --version | grep "Maven home:" | sed 's/Maven home: //' >> ${MVNW_DIR}default \
+RUN ${MVNW_DIR}mvnw --version | grep "Maven home:" | sed 's/Maven home: //' >> ${MVNW_DIR}default \
&& cp -r /usr/share/maven/lib/. $(cat ${MVNW_DIR}default)/lib \
&& rm $(cat ${MVNW_DIR}default)/lib/maven-slf4j-provider*
ENV MAVEN_OPTS="${MAVEN_OPTS} -Dlogback.configurationFile=${MAVEN_HOME}/conf/logback.xml"
@@ -44,8 +44,10 @@ ADD build/_maven_output /tmp/local/m2
ADD build/_kamelets /kamelets
RUN mkdir -p /etc/maven/m2 \
- && chgrp -R 0 /etc/maven/m2 \
+ && chgrp -R 1000 /etc/maven/m2 \
&& chmod -R g=u /etc/maven/m2 \
+ && chgrp -R 1000 /tmp/local/m2 \
+ && chmod -R g=u /tmp/local/m2 \
&& chgrp -R 0 /kamelets \
&& chmod -R g=u /kamelets \
&& chgrp -R 0 ${MAVEN_HOME} \
diff --git a/pkg/controller/build/build_pod.go b/pkg/controller/build/build_pod.go
index 88c35d078..11f5d8e1b 100644
--- a/pkg/controller/build/build_pod.go
+++ b/pkg/controller/build/build_pod.go
@@ -114,6 +114,7 @@ var (
func newBuildPod(ctx context.Context, c ctrl.Reader, build *v1.Build) (*corev1.Pod, error) {
var ugfid int64 = 1000
+ var nonRoot bool = true
pod := &corev1.Pod{
TypeMeta: metav1.TypeMeta{
APIVersion: corev1.SchemeGroupVersion.String(),
@@ -131,9 +132,10 @@ func newBuildPod(ctx context.Context, c ctrl.Reader, build *v1.Build) (*corev1.P
ServiceAccountName: platform.BuilderServiceAccount,
RestartPolicy: corev1.RestartPolicyNever,
SecurityContext: &corev1.PodSecurityContext{
- RunAsUser: &ugfid,
- RunAsGroup: &ugfid,
- FSGroup: &ugfid,
+ RunAsUser: &ugfid,
+ RunAsGroup: &ugfid,
+ FSGroup: &ugfid,
+ RunAsNonRoot: &nonRoot,
},
},
}
diff --git a/pkg/install/operator.go b/pkg/install/operator.go
index d3d78c27c..54c2a1af5 100644
--- a/pkg/install/operator.go
+++ b/pkg/install/operator.go
@@ -204,6 +204,14 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
d.Spec.Template.Spec.Containers[0].Args = append(d.Spec.Template.Spec.Containers[0].Args,
fmt.Sprintf("--health-port=%d", cfg.Health.Port))
d.Spec.Template.Spec.Containers[0].LivenessProbe.HTTPGet.Port = intstr.FromInt(int(cfg.Health.Port))
+ var ugfid int64 = 1000
+ var nonRoot bool = true
+ d.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{
+ FSGroup: &ugfid,
+ RunAsGroup: &ugfid,
+ RunAsUser: &ugfid,
+ RunAsNonRoot: &nonRoot,
+ }
}
}