search

pulumi / pulumi-kubernetes-operator

A Kubernetes Operator that automates the deployment of Pulumi Stacks
Apache License 2.0
218 stars 54 forks source link

Add non-root user account to Pulumi image #653

Open EronWright opened 1 week ago

EronWright commented 1 week ago

For the pu/pu image to support non-root execution (a security best practice, and supported by PKOv2), we need to add a local user to the image.

Ideally we wouldn't have separate "nonroot" images (see the "distroless" images). Otherwise the defaulting logic would be more tricky.

One possibility is to add the local user as shown below but avoid using the USER instruction. I think that's sufficient for purposes of PKOv2, because the pod can apply a security context. The USER instruction seems to set the default, which might be considered a breaking change for existing users of the pu/pu image.

Here's an example of the Dockerfile commands:

ARG BASE_IMAGE=pulumi/pulumi:latest
FROM ${BASE_IMAGE}
ARG UID=1000
ARG GID=1000
RUN addgroup --gid $GID pulumi && \
    adduser --uid $UID --gid $GID --disabled-password --gecos "" pulumi && \
    echo 'pulumi ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
USER pulumi:pulumi

And an example of the pod security context:

  securityContext:
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
cleverguy25 commented 1 week ago

Added to epic https://github.com/pulumi/pulumi-kubernetes-operator/issues/586

EronWright commented 3 days ago

TODO: add securityProfile to stack spec, to allow the workspace's profile to be configured, or expose a whole workspaceTemplate. Update: https://github.com/pulumi/pulumi-kubernetes-operator/pull/669