Closed muellermatthias closed 4 years ago
Hi,
I’ve rewritten the install.sh script in go and it seems to work with a distroless image then
package main
import "fmt"
import "io"
import "os"
import "time"
func main() {
target_dir := os.Getenv("TARGET_DIR")
if target_dir == "" {
fmt.Fprintf(os.Stderr, "Error: TARGET_DIR is not set\n")
os.Exit(1)
}
kv_vol_dir := fmt.Sprintf("%s/azure~kv", target_dir)
os.MkdirAll(kv_vol_dir, os.ModePerm)
target_kv := fmt.Sprintf("%s/kv", kv_vol_dir)
target_flexvol := fmt.Sprintf("%s/azurekeyvault-flexvolume", kv_vol_dir)
copy("/bin/kv", target_kv)
copy("/bin/azurekeyvault-flexvolume", target_flexvol)
os.Chmod(target_kv, 0777)
os.Chmod(target_flexvol, 0777)
for {
fmt.Printf("install done, daemonset sleeping\n")
time.Sleep(60 * time.Second)
}
}
func copy(src string, dst string) {
source, err := os.Open(src)
if err != nil {
fmt.Fprintf(os.Stderr, "Error: could not open file.")
os.Exit(2)
}
defer source.Close()
destination, err := os.Create(dst)
if err != nil {
fmt.Fprintf(os.Stderr, "Error: could not write file.")
os.Exit(2)
}
defer destination.Close()
io.Copy(destination, source)
}
FROM gcr.io/distroless/static
WORKDIR /bin
ADD ./kv /bin/kv
ADD ./azurekeyvault-flexvolume /bin/azurekeyvault-flexvolume
ADD ./install_kv /bin/install_kv
ENTRYPOINT ["/bin/install_kv"]
Test it with:
docker build -t banana .
docker run -e TARGET_DIR=/tmp/x -v /tmp/somedir:/tmp/x -u 1001 banana:latest
And it seems to work: the files appear on the host in /tmp/somedir
Would you be interested in merging something like this? Then I can try to integrate this in your CI configuration and create a PR.
Cheers, Constantin
Running the container as non-root doesn't seem to be possible at the moment as root-access is needed to copy the binaries to the host, see https://github.com/kubernetes/community/issues/4171#issuecomment-547182573
Describe the request Running containers in Kubernetes as root can be a security issue and should be avoided if possible (see https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/#8-run-containers-as-a-non-root-user). It should be possible to run the containers used for the Key Vault FlexVolume as non-root.
Explain why Key Vault FlexVolume needs it Key Vault FlexVolume would be more secure and it will also help some users of this project to meet their compliance.
Describe the solution you'd like The image should be changed so that the container will run as non-root by default.
This can be achieved by using a distroless image and adding
USER 65532
to the Dockerfile.Describe alternatives you've considered It's also possible to create a user in the Dockerfile and give him the required permissions to run the application.
Additional context