feat: restricted security context

Author: yetone

bento-downloader/Dockerfile …ainer_images/bento-downloader/Dockerfilebento-downloader/Dockerfile renamed to container_images/bento-downloader/Dockerfile bento-downloader/Dockerfile renamed to container_images/bento-downloader/Dockerfile

@@ -11,3 +11,13 @@ RUN curl https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud
     && tar -xf google-cloud-cli-410.tar.gz \
     && ./google-cloud-sdk/install.sh \
     && rm google-cloud-cli-410.tar.gz
+
+ARG USERNAME=yetone
+ARG USER_UID=1000
+ARG USER_GID=$USER_UID
+
+# Create the user
+RUN groupadd --gid $USER_GID $USERNAME \
+    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
+
+USER $USER_UID:$USER_GID

bento-downloader/Makefile …ntainer_images/bento-downloader/Makefilebento-downloader/Makefile renamed to container_images/bento-downloader/Makefile bento-downloader/Makefile renamed to container_images/bento-downloader/Makefile

@@ -1,4 +1,4 @@
-IMAGE := quay.io/bentoml/bento-downloader:0.0.1
+IMAGE := quay.io/bentoml/bento-downloader:0.0.3
 
 build:
 	docker build -t ${IMAGE} .

container_images/buildah/Dockerfile

@@ -0,0 +1,16 @@
+FROM quay.io/buildah/stable:v1.23.1
+
+ARG BENTO_USER_UID=1034
+ARG BENTO_USER_GID=1034
+
+RUN touch /etc/subgid /etc/subuid \
+ && chmod g=u /etc/subgid /etc/subuid /etc/passwd \
+ && echo build:$BENTO_USER_UID:$BENTO_USER_GID > /etc/subuid \
+ && echo build:$BENTO_USER_UID:$BENTO_USER_GID > /etc/subgid
+
+# Use chroot since the default runc does not work when running rootless
+RUN echo "export BUILDAH_ISOLATION=chroot" >> /home/build/.bashrc
+
+USER $BENTO_USER_UID:$BENTO_USER_GID
+WORKDIR /home/build
+

container_images/buildah/Makefile

@@ -0,0 +1,5 @@
+IMAGE := quay.io/bentoml/bentoml-buildah:0.0.1
+
+build:
+	docker build -t ${IMAGE} .
+	docker push ${IMAGE}

controllers/resources/bentorequest_controller.go

@@ -1200,6 +1200,17 @@ echo "Done"
 		})
 	}
 
+	restrictedSecurityContext := &corev1.SecurityContext{
+		AllowPrivilegeEscalation: pointer.BoolPtr(false),
+		RunAsNonRoot:             pointer.BoolPtr(true),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+	}
+
 	initContainers := []corev1.Container{
 		{
 			Name:  "bento-downloader",
@@ -1209,9 +1220,10 @@ echo "Done"
 				"-c",
 				bentoDownloadCommand,
 			},
-			VolumeMounts: volumeMounts,
-			Resources:    downloaderContainerResources,
-			EnvFrom:      downloaderContainerEnvFrom,
+			VolumeMounts:    volumeMounts,
+			Resources:       downloaderContainerResources,
+			EnvFrom:         downloaderContainerEnvFrom,
+			SecurityContext: restrictedSecurityContext,
 		},
 	}
 
@@ -1329,9 +1341,10 @@ echo "Done"
 				"-c",
 				modelDownloadCommand,
 			},
-			VolumeMounts: volumeMounts,
-			Resources:    downloaderContainerResources,
-			EnvFrom:      downloaderContainerEnvFrom,
+			VolumeMounts:    volumeMounts,
+			Resources:       downloaderContainerResources,
+			EnvFrom:         downloaderContainerEnvFrom,
+			SecurityContext: restrictedSecurityContext,
 		})
 	}
 
@@ -1488,14 +1501,11 @@ echo "Done"
 			Privileged: pointer.BoolPtr(true),
 		}
 	} else if buildEngine == BentoImageBuildEngineBuildkitRootless {
-		kubeAnnotations["container.apparmor.security.beta.kubernetes.io/builder"] = "unconfined"
-		builderContainerSecurityContext = &corev1.SecurityContext{
-			SeccompProfile: &corev1.SeccompProfile{
-				Type: corev1.SeccompProfileTypeUnconfined,
-			},
-			RunAsUser:  pointer.Int64Ptr(1000),
-			RunAsGroup: pointer.Int64Ptr(1000),
+		kubeAnnotations["container.apparmor.security.beta.kubernetes.io/builder"] = "runtime/default"
+		for _, container := range initContainers {
+			kubeAnnotations[fmt.Sprintf("container.apparmor.security.beta.kubernetes.io/%s", container.Name)] = "runtime/default"
 		}
+		builderContainerSecurityContext = restrictedSecurityContext.DeepCopy()
 	}
 
 	// add build args to pass via --build-arg
@@ -1614,6 +1624,12 @@ echo "Done"
 			Containers: []corev1.Container{
 				container,
 			},
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsNonRoot: pointer.BoolPtr(true),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+			},
 		},
 	}
 

go.mod

@@ -4,7 +4,7 @@ go 1.18
 
 require (
 	github.com/aws/aws-sdk-go v1.44.152
-	github.com/bentoml/yatai-common v0.0.0-20230108151027-0a54d02e79b1
+	github.com/bentoml/yatai-common v0.0.0-20230109041943-798ca210a16d
 	github.com/bentoml/yatai-schemas v0.0.0-20221123041958-d3ff9b721451
 	github.com/huandu/xstrings v1.3.2
 	github.com/iancoleman/strcase v0.2.0

go.sum

@@ -77,8 +77,8 @@ github.com/aws/aws-sdk-go v1.44.152 h1:L9aaepO8wHB67gwuGD8VgIYH/cmQDxieCt7FeLa0+
 github.com/aws/aws-sdk-go v1.44.152/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
-github.com/bentoml/yatai-common v0.0.0-20230108151027-0a54d02e79b1 h1:VgN2DLopHoMaEVOiD8J4bZO0L1BGXLRSmNSs7GkfbHo=
-github.com/bentoml/yatai-common v0.0.0-20230108151027-0a54d02e79b1/go.mod h1:pox0XYk/bVUwKkadn0XwWHEbJmxSEeN3+HwGA4a8uOQ=
+github.com/bentoml/yatai-common v0.0.0-20230109041943-798ca210a16d h1:r+iumKOD+Ri4u2NggQYudjQurIYN2Rs0nOW48faSt9E=
+github.com/bentoml/yatai-common v0.0.0-20230109041943-798ca210a16d/go.mod h1:pox0XYk/bVUwKkadn0XwWHEbJmxSEeN3+HwGA4a8uOQ=
 github.com/bentoml/yatai-schemas v0.0.0-20221123041958-d3ff9b721451 h1:FNxCbN61Ev8ea6BXzlfmRUT5CYNmqlOv8zDRGs8ufVE=
 github.com/bentoml/yatai-schemas v0.0.0-20221123041958-d3ff9b721451/go.mod h1:q7tt064G8YIiAwQabKyVaKEdSIHYDQA9Oyt+kyCsflU=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=

helm/yatai-image-builder/values.yaml

@@ -27,16 +27,16 @@ serviceAccount:
 
 podAnnotations: {}
 
-podSecurityContext: {}
-  # fsGroup: 2000
+podSecurityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
 
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
 
 service:
   type: ClusterIP
@@ -96,7 +96,7 @@ aws:
   secretAccessKeyExistingSecretKey: ''
 
 internalImages:
-  bentoDownloader: quay.io/bentoml/bento-downloader:0.0.1
+  bentoDownloader: quay.io/bentoml/bento-downloader:0.0.3
   kaniko: quay.io/bentoml/kaniko:1.9.1
   buildkit: quay.io/bentoml/buildkit:master
   buildkitRootless: quay.io/bentoml/buildkit:master-rootless

tests/e2e/e2e_test.go

@@ -49,9 +49,9 @@ var _ = Describe("yatai-image-builder", Ordered, func() {
 		cmd = exec.Command("kubectl", "-n", "yatai-image-builder", "logs", "--tail", "200", "-l", "app.kubernetes.io/name=yatai-image-builder")
 		logs, _ = utils.Run(cmd)
 		fmt.Println(string(logs))
-		By("Cleaning up BentoRequest resources")
-		cmd = exec.Command("kubectl", "delete", "-f", "tests/e2e/example.yaml")
-		_, _ = utils.Run(cmd)
+		// By("Cleaning up BentoRequest resources")
+		// cmd = exec.Command("kubectl", "delete", "-f", "tests/e2e/example.yaml")
+		// _, _ = utils.Run(cmd)
 	})
 
 	Context("BentoRequest Operator", func() {