Skip to content

Run as non-root, add security contexts #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 30, 2025
Merged

Run as non-root, add security contexts #16

merged 1 commit into from
May 30, 2025

Conversation

lwr20
Copy link
Member

@lwr20 lwr20 commented May 30, 2025

Add security features to pods, to allow tests to work in restrictive environments.

@lwr20 lwr20 force-pushed the lwr-security-fixes branch 3 times, most recently from 48ce889 to ae348f2 Compare May 30, 2025 13:32
@lwr20 lwr20 force-pushed the lwr-security-fixes branch from ae348f2 to 69c63a8 Compare May 30, 2025 14:16
@lwr20 lwr20 requested a review from Copilot May 30, 2025 14:17
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances security by enforcing non-root execution across various pod deployments and adds corresponding security contexts and helper functions. Key changes include:

  • Adding helper functions (BoolPtr and Int64Ptr) to simplify pointer creation for security settings.
  • Updating pod creation functions (makePod, makeQperfPod, etc.) to include security contexts with non-root settings.
  • Modifying Dockerfiles to run containers as non-root users.

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file
File Description
pkg/utils/k8s_utils.go Added helper functions for pointer creation.
pkg/ttfr/ttfr.go Updated pod definitions with non-root security contexts.
pkg/qperf/qperf.go Revised pod creation (added testPort parameter and security context).
pkg/iperf/iperf.go Updated pod creation function signature and added security context.
pkg/dnsperf/dnsperf.go Adjusted pod command and added security context to pods and deployments.
pkg/cluster/cluster_internal.go Added security context to deployment pods for non-root execution.
images/ttfr/Dockerfile Updated to run container as non-root user.
images/perf/Dockerfile Enhanced image installation and switched to non-root user.
images/nginx/Dockerfile Changed base image and simplified configuration for non-root use.
Comments suppressed due to low confidence (2)

pkg/dnsperf/dnsperf.go:314

  • Appending ':8080' to the target in the command string assumes the DNSPerf service listens on port 8080; please confirm this endpoint update is intended for all environments.
cmd := fmt.Sprintf("%s %s:8080", cmdfrag, target)

pkg/iperf/iperf.go:282

  • The makePod function signature now requires a port parameter; ensure that all invocations of this function are updated accordingly with a valid port value.
pod := makePod(nodename, namespace, podname, hostnet, image, cmd, port)

@lwr20 lwr20 marked this pull request as ready for review May 30, 2025 14:19
@@ -311,7 +311,7 @@ func runDNSPerfTest(ctx context.Context, srcPod *corev1.Pod, target string) (Cur
result.Target = target
result.Success = true
cmdfrag := `curl -m 8 -w '{"time_lookup": %{time_namelookup}, "time_connect": %{time_connect}}\n' -s -o /dev/null`

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit- can we rename this to something a little more self-explanatory?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To me, cmdfrag = command fragment. We then add on the target to this string fragment to make the final curl command that is run.

What would you suggest is more self-explanatory? cmdPrefix maybe?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll merge this, we can change the variable name in another PR easily enough.

Copy link

@sujeet-kr sujeet-kr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a nit otherwise LGTM

@lwr20 lwr20 merged commit ba9032d into main May 30, 2025
6 checks passed
@lwr20 lwr20 deleted the lwr-security-fixes branch May 30, 2025 15:13
Copy link

@Glen-Tigera Glen-Tigera left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants