Merge pull request #129 from secureCodeBox/security-contexts

Add securityContexts to secureCodeBox Components

Author: nigthknight

hook-sdk/nodejs/Dockerfile

@@ -5,10 +5,10 @@ RUN npm ci --production
 
 FROM node:12-alpine
 ARG NODE_ENV
-RUN addgroup -S app && adduser app -S -G app
+RUN addgroup --system --gid 1001 app && adduser app --system --uid 1001 --ingroup app
 WORKDIR /home/app/hook-wrapper/
 COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/
 COPY --chown=app:app ./hook-wrapper.js ./hook-wrapper.js
-USER app
+USER 1001
 ENV NODE_ENV ${NODE_ENV:-production}
-ENTRYPOINT ["node", "/home/app/hook-wrapper/hook-wrapper.js"]
+ENTRYPOINT ["node", "/home/app/hook-wrapper/hook-wrapper.js"]

lurcher/Dockerfile

@@ -20,6 +20,5 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o lurcher
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/lurcher .
-USER nonroot:nonroot
 
 ENTRYPOINT ["/lurcher"]

operator/Dockerfile

@@ -28,6 +28,5 @@ ENV TELEMETRY_ENABLED "true"
 
 WORKDIR /
 COPY --from=builder /workspace/manager .
-USER nonroot:nonroot
 
 ENTRYPOINT ["/manager"]

operator/README.md

@@ -24,7 +24,7 @@ helm install securecodebox-operator secureCodeBox/operator
 | image.pullPolicy | string | `"Always"` | Image pull policy |
 | image.repository | string | `"docker.io/securecodebox/operator"` | The operator image repository |
 | image.tag | string | defaults to the charts version | Parser image tag |
-| lurcher.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| lurcher.image.pullPolicy | string | `"Always"` | Image pull policy |
 | lurcher.image.repository | string | `"docker.io/securecodebox/lurcher"` | The operator image repository |
 | lurcher.image.tag | string | defaults to the charts version | Parser image tag |
 | minio.defaultBucket.enabled | bool | `true` |  |
@@ -38,5 +38,10 @@ helm install securecodebox-operator secureCodeBox/operator
 | s3.port | string | `nil` |  |
 | s3.secretAttributeNames.accesskey | string | `"accesskey"` |  |
 | s3.secretAttributeNames.secretkey | string | `"secretkey"` |  |
+| securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated |
+| securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the operator container. They are not required |
+| securityContext.privileged | bool | `false` | Ensures that the operator container is not run in privileged mode |
+| securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system |
+| securityContext.runAsNonRoot | bool | `true` | Enforces that the Operator image is run as a non root user |
 | telemetryEnabled | bool | `true` | The Operator sends anonymous telemetry data, to give the team an overview how much the secureCodeBox is used. Find out more at https://www.securecodebox.io/telemetry |
 

operator/controllers/execution/scans/hook_reconciler.go

@@ -362,6 +362,8 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook,
 	labels["securecodebox.io/hook-name"] = hook.Name
 
 	var backOffLimit int32 = 3
+	truePointer := true
+	falsePointer := false
 	job := &batch.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Annotations:  make(map[string]string),
@@ -388,7 +390,7 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook,
 							Image:           hook.Spec.Image,
 							Args:            cliArgs,
 							Env:             append(hook.Spec.Env, standardEnvVars...),
-							ImagePullPolicy: "IfNotPresent",
+							ImagePullPolicy: "Always",
 							Resources: corev1.ResourceRequirements{
 								Requests: corev1.ResourceList{
 									corev1.ResourceCPU:    resource.MustParse("200m"),
@@ -399,6 +401,15 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook,
 									corev1.ResourceMemory: resource.MustParse("200Mi"),
 								},
 							},
+							SecurityContext: &corev1.SecurityContext{
+								RunAsNonRoot:             &truePointer,
+								AllowPrivilegeEscalation: &falsePointer,
+								ReadOnlyRootFilesystem:   &truePointer,
+								Privileged:               &falsePointer,
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"all"},
+								},
+							},
 						},
 					},
 				},

operator/controllers/execution/scans/parse_reconciler.go

@@ -80,6 +80,8 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 	labels["securecodebox.io/job-type"] = "parser"
 	automountServiceAccountToken := true
 	var backOffLimit int32 = 3
+	truePointer := true
+	falsePointer := false
 	job := &batch.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Annotations:  make(map[string]string),
@@ -133,6 +135,15 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 									corev1.ResourceMemory: resource.MustParse("200Mi"),
 								},
 							},
+							SecurityContext: &corev1.SecurityContext{
+								RunAsNonRoot:             &truePointer,
+								AllowPrivilegeEscalation: &falsePointer,
+								ReadOnlyRootFilesystem:   &truePointer,
+								Privileged:               &falsePointer,
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"all"},
+								},
+							},
 						},
 					},
 					AutomountServiceAccountToken: &automountServiceAccountToken,

operator/controllers/execution/scans/scan_reconciler.go

@@ -221,6 +221,9 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e
 		return nil, fmt.Errorf("Unknown imagePull Policy for lurcher: %s", lurcherPullPolicyRaw)
 	}
 
+	falsePointer := false
+	truePointer := true
+
 	lurcherSidecar := &corev1.Container{
 		Name:            "lurcher",
 		Image:           lurcherImage,
@@ -260,6 +263,15 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e
 				ReadOnly:  true,
 			},
 		},
+		SecurityContext: &corev1.SecurityContext{
+			RunAsNonRoot:             &truePointer,
+			AllowPrivilegeEscalation: &falsePointer,
+			ReadOnlyRootFilesystem:   &truePointer,
+			Privileged:               &falsePointer,
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"all"},
+			},
+		},
 	}
 
 	job.Spec.Template.Spec.Containers = append(job.Spec.Template.Spec.Containers, *lurcherSidecar)

operator/templates/manager/manager.yaml

@@ -77,4 +77,6 @@ spec:
               value: {{ .Values.lurcher.image.pullPolicy }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
       terminationGracePeriodSeconds: 10

operator/values.yaml

@@ -14,6 +14,20 @@ image:
   # image.pullPolicy -- Image pull policy
   pullPolicy: Always
 
+securityContext:
+  # securityContext.runAsNonRoot -- Enforces that the Operator image is run as a non root user
+  runAsNonRoot: true
+  # securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system
+  readOnlyRootFilesystem: true
+  # securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated
+  allowPrivilegeEscalation: false
+  # securityContext.privileged -- Ensures that the operator container is not run in privileged mode
+  privileged: false
+  capabilities:
+    drop:
+      # securityContext.capabilities.drop[0] -- This drops all linux privileges from the operator container. They are not required
+      - all
+
 lurcher:
   image:
     # lurcher.image.repository -- The operator image repository
@@ -22,7 +36,7 @@ lurcher:
     # @default -- defaults to the charts version
     tag: null
     # lurcher.image.pullPolicy -- Image pull policy
-    pullPolicy: IfNotPresent
+    pullPolicy: Always
 
 minio:
   # minio.enabled Enable this to use minio as storage backend instead of a cloud bucket provider like AWS S3, Google Cloud Storage, DigitalOcean Spaces etc.

parser-sdk/nodejs/Dockerfile

@@ -5,10 +5,10 @@ RUN npm ci --production
 
 FROM node:12-alpine
 ARG NODE_ENV
-RUN addgroup -S app && adduser app -S -G app
+RUN addgroup --system --gid 1001 app && adduser app --system --uid 1001 --ingroup app
 WORKDIR /home/app/parser-wrapper/
 COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/
 COPY --chown=app:app ./parser-wrapper.js ./parser-wrapper.js
-USER app
+USER 1001
 ENV NODE_ENV ${NODE_ENV:-production}
-ENTRYPOINT ["node", "/home/app/parser-wrapper/parser-wrapper.js"]
+ENTRYPOINT ["node", "/home/app/parser-wrapper/parser-wrapper.js"]