Run the secrets-provider with a limited user instead of with root #95
Conversation
sigalsax
commented
May 24, 2020
sigalsax
commented
- A container running as root is not a good security practice so this should be avoided
- Add group permissions in Conjur directories to avoid UID mismatch upon deploying to Openshift
Dockerfile
Outdated
| CMD ["secrets-provider"] | ||
| COPY --from=secrets-provider-builder /opt/secrets-provider-for-k8s/secrets-provider /usr/local/bin/ | ||
|
|
||
| ENTRYPOINT [ "/usr/local/bin/secrets-provider"] |
Dockerfile
Outdated
| @@ -3,7 +3,7 @@ MAINTAINER CyberArk Software, Ltd. | |||
|
|
|||
| ENV GOOS=linux \ | |||
| GOARCH=amd64 \ | |||
| CGO_ENABLED=0 | |||
| CGO_ENABLED=1 | |||
There was a problem hiding this comment.
why do we need cgo_enabled? are you sure it is required?
There was a problem hiding this comment.
I am not sure about this one. Other projects used it compile source code in Go and C
There was a problem hiding this comment.
do you think we need this offering here?
There was a problem hiding this comment.
please don't enable cgo if we don't have to. if the build passes without it then leave it like that.
Dockerfile
Outdated
| CMD ["secrets-provider"] | ||
| COPY --from=secrets-provider-builder /opt/secrets-provider-for-k8s/secrets-provider /usr/local/bin/ | ||
|
|
||
| ENTRYPOINT [ "/usr/local/bin/secrets-provider"] |
There was a problem hiding this comment.
why did you change from CMD to ENTRYPOINT? can you challenge this?
There was a problem hiding this comment.
CMD sets default command and can be overwritten from command line when docker container runs (with docker run -it <image> bash). ENTRYPOINT command and parameters will not be overwritten from command line. So I guess in our case it doesn't really matter but thought I would go with a command that cannot be overwritten
There was a problem hiding this comment.
I didn't want secrets-provider to be overridden but CMD is safer...
Dockerfile
Outdated
| @@ -23,7 +23,7 @@ RUN go build -a -installsuffix cgo -o secrets-provider ./cmd/secrets-provider | |||
| FROM busybox | |||
|
|
|||
| # =================== MAIN CONTAINER =================== | |||
| FROM scratch as secrets-provider | |||
| FROM alpine:3.8 as secrets-provider | |||
There was a problem hiding this comment.
why do we use 3.8? why not latest? why not a newer version?
i'm not saying it's incorrect, just want to verify you put thought into it and chose the best one.
There was a problem hiding this comment.
good point. i did it for uniformity across projects but 3.11 is available and the local build passes so I will use that one
|
i actually prefer the title |
sigalsax
changed the title
|
@sigalsax please add a changelog entry for this change. |
Dockerfile
Outdated
|
|
||
| ENV GOOS=linux \ | ||
| GOARCH=amd64 \ | ||
| CGO_ENABLED=0 |
There was a problem hiding this comment.
why was this removed? it should still be here (although it's the default value, it's best to have it for explicitness)
| @@ -23,8 +22,8 @@ RUN go build -a -installsuffix cgo -o secrets-provider ./cmd/secrets-provider | |||
| FROM busybox | |||
|
|
|||
| # =================== MAIN CONTAINER =================== | |||
| FROM scratch as secrets-provider | |||
| MAINTAINER CyberArk Software, Ltd. | |||
| FROM alpine:3.11 as secrets-provider | |||
There was a problem hiding this comment.
because I don't like the idea of automatically pulling latest for the same reason you thought; risky. But open to latest if you think this is the way to go
There was a problem hiding this comment.
i think that our nightly automation is good enough but i can live with 3.11.
Dockerfile
Outdated
|
|
||
| COPY --from=secrets-provider-builder /opt/secrets-provider-for-k8s/secrets-provider /usr/local/bin/ | ||
|
|
||
| CMD [ "/usr/local/bin/secrets-provider"] |
There was a problem hiding this comment.
so CMD is better than ENTRYPOINT? it seemed that the latter is safer from your previous explanation.
There was a problem hiding this comment.
CMD can be overriden and ENTRYPOINT cannot. What do you mean by "Safer"?
- A container running as root is not a good security practice so this should be avoided - Add group permissions in Conjur directories to avoid UID mismatch upon deploying to Openshift
- Removes the , before Ltd.
