Run as non-root, add security contexts #16
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lwr20
force-pushed
the
lwr-security-fixes
branch
3 times, most recently
from
48ce889 to
ae348f2
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR enhances security by enforcing non-root execution across various pod deployments and adds corresponding security contexts and helper functions. Key changes include:
- Adding helper functions (BoolPtr and Int64Ptr) to simplify pointer creation for security settings.
- Updating pod creation functions (makePod, makeQperfPod, etc.) to include security contexts with non-root settings.
- Modifying Dockerfiles to run containers as non-root users.
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/utils/k8s_utils.go | Added helper functions for pointer creation. |
| pkg/ttfr/ttfr.go | Updated pod definitions with non-root security contexts. |
| pkg/qperf/qperf.go | Revised pod creation (added testPort parameter and security context). |
| pkg/iperf/iperf.go | Updated pod creation function signature and added security context. |
| pkg/dnsperf/dnsperf.go | Adjusted pod command and added security context to pods and deployments. |
| pkg/cluster/cluster_internal.go | Added security context to deployment pods for non-root execution. |
| images/ttfr/Dockerfile | Updated to run container as non-root user. |
| images/perf/Dockerfile | Enhanced image installation and switched to non-root user. |
| images/nginx/Dockerfile | Changed base image and simplified configuration for non-root use. |
Comments suppressed due to low confidence (2)
pkg/dnsperf/dnsperf.go:314
- Appending ':8080' to the target in the command string assumes the DNSPerf service listens on port 8080; please confirm this endpoint update is intended for all environments.
cmd := fmt.Sprintf("%s %s:8080", cmdfrag, target)
pkg/iperf/iperf.go:282
- The makePod function signature now requires a port parameter; ensure that all invocations of this function are updated accordingly with a valid port value.
pod := makePod(nodename, namespace, podname, hostnet, image, cmd, port)
sujeet-kr
reviewed
May 30, 2025
| @@ -311,7 +311,7 @@ func runDNSPerfTest(ctx context.Context, srcPod *corev1.Pod, target string) (Cur | |||
| result.Target = target | |||
| result.Success = true | |||
| cmdfrag := `curl -m 8 -w '{"time_lookup": %{time_namelookup}, "time_connect": %{time_connect}}\n' -s -o /dev/null` | |||
There was a problem hiding this comment.
nit- can we rename this to something a little more self-explanatory?
There was a problem hiding this comment.
To me, cmdfrag = command fragment. We then add on the target to this string fragment to make the final curl command that is run.
What would you suggest is more self-explanatory? cmdPrefix maybe?
There was a problem hiding this comment.
I'll merge this, we can change the variable name in another PR easily enough.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add security features to pods, to allow tests to work in restrictive environments.