search

pulumi / pulumi-kubernetes-operator

A Kubernetes Operator that automates the deployment of Pulumi Stacks
Apache License 2.0
225 stars 54 forks source link

Add non-root user account to Pulumi image #653

Closed EronWright closed 1 month ago

EronWright commented 2 months ago

For the pu/pu image to support non-root execution (a security best practice, and supported by PKOv2), we need to add a local user to the image.

Ideally we wouldn't have separate "nonroot" images (see the "distroless" images). Otherwise the defaulting logic would be more tricky.

One possibility is to add the local user as shown below but avoid using the USER instruction. I think that's sufficient for purposes of PKOv2, because the pod can apply a security context. The USER instruction seems to set the default, which might be considered a breaking change for existing users of the pu/pu image.

Here's an example of the Dockerfile commands:

ARG BASE_IMAGE=pulumi/pulumi:latest
FROM ${BASE_IMAGE}
ARG UID=1000
ARG GID=1000
RUN addgroup --gid $GID pulumi && \
    adduser --uid $UID --gid $GID --disabled-password --gecos "" pulumi && \
    echo 'pulumi ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
USER pulumi:pulumi

And an example of the pod security context:

  securityContext:
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
cleverguy25 commented 2 months ago

Added to epic https://github.com/pulumi/pulumi-kubernetes-operator/issues/586

EronWright commented 1 month ago

TODO: add securityProfile to stack spec, to allow the workspace's profile to be configured, or expose a whole workspaceTemplate. Update: https://github.com/pulumi/pulumi-kubernetes-operator/pull/669

EronWright commented 1 month ago

A nonroot variant of the kitchen sink image will be available soon: https://github.com/pulumi/pulumi-docker-containers/pull/277

I believe the remaining work on the PKO side is to use the correct default based on the security profile:

Also remove the files in hack/rootless and remove the makefile target docker-rootless.

julienp commented 1 month ago

The latest-nonroot tag is now published https://hub.docker.com/r/pulumi/pulumi/tags

pulumi-bot commented 1 month ago

Cannot close issue:

Please fix these problems and try again.

rquitales commented 1 month ago

Resolved by #693, #692 and https://github.com/pulumi/pulumi-docker-containers/pull/277.