-
Notifications
You must be signed in to change notification settings - Fork 3
Run as non-root, add security contexts #16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
48ce889
to
ae348f2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR enhances security by enforcing non-root execution across various pod deployments and adds corresponding security contexts and helper functions. Key changes include:
- Adding helper functions (BoolPtr and Int64Ptr) to simplify pointer creation for security settings.
- Updating pod creation functions (makePod, makeQperfPod, etc.) to include security contexts with non-root settings.
- Modifying Dockerfiles to run containers as non-root users.
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.
Show a summary per file
File | Description |
---|---|
pkg/utils/k8s_utils.go | Added helper functions for pointer creation. |
pkg/ttfr/ttfr.go | Updated pod definitions with non-root security contexts. |
pkg/qperf/qperf.go | Revised pod creation (added testPort parameter and security context). |
pkg/iperf/iperf.go | Updated pod creation function signature and added security context. |
pkg/dnsperf/dnsperf.go | Adjusted pod command and added security context to pods and deployments. |
pkg/cluster/cluster_internal.go | Added security context to deployment pods for non-root execution. |
images/ttfr/Dockerfile | Updated to run container as non-root user. |
images/perf/Dockerfile | Enhanced image installation and switched to non-root user. |
images/nginx/Dockerfile | Changed base image and simplified configuration for non-root use. |
Comments suppressed due to low confidence (2)
pkg/dnsperf/dnsperf.go:314
- Appending ':8080' to the target in the command string assumes the DNSPerf service listens on port 8080; please confirm this endpoint update is intended for all environments.
cmd := fmt.Sprintf("%s %s:8080", cmdfrag, target)
pkg/iperf/iperf.go:282
- The makePod function signature now requires a port parameter; ensure that all invocations of this function are updated accordingly with a valid port value.
pod := makePod(nodename, namespace, podname, hostnet, image, cmd, port)
@@ -311,7 +311,7 @@ func runDNSPerfTest(ctx context.Context, srcPod *corev1.Pod, target string) (Cur | |||
result.Target = target | |||
result.Success = true | |||
cmdfrag := `curl -m 8 -w '{"time_lookup": %{time_namelookup}, "time_connect": %{time_connect}}\n' -s -o /dev/null` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit- can we rename this to something a little more self-explanatory?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To me, cmdfrag = command fragment. We then add on the target to this string fragment to make the final curl command that is run.
What would you suggest is more self-explanatory? cmdPrefix
maybe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll merge this, we can change the variable name in another PR easily enough.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a nit otherwise LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Add security features to pods, to allow tests to work in restrictive environments.