Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add non-root user account to Pulumi image #653

Closed
EronWright opened this issue Sep 7, 2024 · 6 comments
Closed

Add non-root user account to Pulumi image #653

EronWright opened this issue Sep 7, 2024 · 6 comments
Assignees
@blampe @rquitales
Labels
kind/task Work that's part of an ongoing epic resolution/fixed This issue was fixed

Comments

@EronWright
Copy link
Contributor

For the pu/pu image to support non-root execution (a security best practice, and supported by PKOv2), we need to add a local user to the image.

Ideally we wouldn't have separate "nonroot" images (see the "distroless" images). Otherwise the defaulting logic would be more tricky.

One possibility is to add the local user as shown below but avoid using the USER instruction. I think that's sufficient for purposes of PKOv2, because the pod can apply a security context. The USER instruction seems to set the default, which might be considered a breaking change for existing users of the pu/pu image.

Here's an example of the Dockerfile commands:

ARG BASE_IMAGE=pulumi/pulumi:latest
FROM ${BASE_IMAGE}
ARG UID=1000
ARG GID=1000
RUN addgroup --gid $GID pulumi && \
    adduser --uid $UID --gid $GID --disabled-password --gecos "" pulumi && \
    echo 'pulumi ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
USER pulumi:pulumi

And an example of the pod security context:

  securityContext:
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
@EronWright EronWright converted this from a draft issue Sep 7, 2024
@pulumi-bot pulumi-bot added the needs-triage Needs attention from the triage team label Sep 7, 2024
@cleverguy25
Copy link

Added to epic #586

@cleverguy25 cleverguy25 mentioned this issue Sep 7, 2024
Closed
5 tasks
@EronWright EronWright removed the needs-triage Needs attention from the triage team label Sep 7, 2024
@mikhailshilkov mikhailshilkov added the kind/task Work that's part of an ongoing epic label Sep 9, 2024
@EronWright

This comment has been minimized.

Sign in to view
@EronWright
Copy link
Contributor Author

EronWright commented Sep 25, 2024
edited
Loading

A nonroot variant of the kitchen sink image will be available soon:
pulumi/pulumi-docker-containers#277

I believe the remaining work on the PKO side is to use the correct default based on the security profile:

  • "restricted" - pulumi/pulumi:latest-nonroot
  • "baseline" - pulumi/pulumi:latest

Also remove the files in hack/rootless and remove the makefile target docker-rootless.

@EronWright EronWright assigned rquitales and unassigned julienp Sep 25, 2024
@julienp
Copy link

julienp commented Sep 26, 2024

The latest-nonroot tag is now published https://hub.docker.com/r/pulumi/pulumi/tags

@EronWright EronWright mentioned this issue Sep 26, 2024
Merged
@EronWright EronWright assigned blampe and rquitales and unassigned rquitales Sep 26, 2024
@rquitales rquitales mentioned this issue Sep 26, 2024
Merged
rquitales added a commit that referenced this issue Sep 26, 2024
@rquitales
[V2] Set default statefulset image based on securityProfile (#693)
88a213d 
### Proposed changes

This update removes the default CRD validation marker from the
`workspace.spec.image` field, allowing for dynamic image selection based
on the value of `workspace.spec.securityProfile`. When `securityProfile`
is set to `baseline`, the image defaults to `pulumi/pulumi:latest`. If
`securityProfile` is marked as `restricted`, the system will instead
select `pulumi/pulumi:latest-nonroot`. If a user specifies their own
image, then that value is used instead. Handling these default settings
within the controller is necessary, as CRD validation markers cannot
accommodate conditional defaults.

Before implementing this feature, additional ginkgo tests were
introduced to confirm that the desired behavior is properly achieved.

### Related issues (optional)

Closes: #653
@pulumi-bot pulumi-bot reopened this Sep 26, 2024
@pulumi-bot
Copy link
Contributor

Cannot close issue:

  • does not have required labels: resolution/

Please fix these problems and try again.

@rquitales rquitales added the resolution/fixed This issue was fixed label Sep 26, 2024
@rquitales
Copy link
Member

Resolved by #693, #692 and pulumi/pulumi-docker-containers#277.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@blampe blampe

@rquitales rquitales

Labels
kind/task Work that's part of an ongoing epic resolution/fixed This issue was fixed
Projects
No open projects
Pulumi Kubernetes Operator v2
Status: Done
Milestone
No milestone
Development

No branches or pull requests
7 participants
@julienp @blampe @mikhailshilkov @EronWright @cleverguy25 @rquitales @pulumi-bot