feat: restricted security context

bentoml · Jan 8, 2023 · 1775f16 · 1775f16
1 parent 4dc695c
commit 1775f16
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 24 deletions.
diff --git a/bento-downloader/Dockerfile b/bento-downloader/Dockerfile
@@ -11,3 +11,13 @@ RUN curl https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud
     && tar -xf google-cloud-cli-410.tar.gz \
     && ./google-cloud-sdk/install.sh \
     && rm google-cloud-cli-410.tar.gz
+
+ARG USERNAME=yetone
+ARG USER_UID=1000
+ARG USER_GID=$USER_UID
+
+# Create the user
+RUN groupadd --gid $USER_GID $USERNAME \
+    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
+
+USER $USER_UID
diff --git a/bento-downloader/Makefile b/bento-downloader/Makefile
@@ -1,4 +1,4 @@
-IMAGE := quay.io/bentoml/bento-downloader:0.0.1
+IMAGE := quay.io/bentoml/bento-downloader:0.0.3
 
 build:
 	docker build -t ${IMAGE} .

diff --git a/controllers/resources/bentorequest_controller.go b/controllers/resources/bentorequest_controller.go
@@ -1200,6 +1200,17 @@ echo "Done"
 		})
 	}
 
+	restrictedSecurityContext := &corev1.SecurityContext{
+		AllowPrivilegeEscalation: pointer.BoolPtr(false),
+		RunAsNonRoot:             pointer.BoolPtr(true),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+	}
+
 	initContainers := []corev1.Container{
 		{
 			Name:  "bento-downloader",
@@ -1209,9 +1220,10 @@ echo "Done"
 				"-c",
 				bentoDownloadCommand,
 			},
-			VolumeMounts: volumeMounts,
-			Resources:    downloaderContainerResources,
-			EnvFrom:      downloaderContainerEnvFrom,
+			VolumeMounts:    volumeMounts,
+			Resources:       downloaderContainerResources,
+			EnvFrom:         downloaderContainerEnvFrom,
+			SecurityContext: restrictedSecurityContext,
 		},
 	}
 
@@ -1329,9 +1341,10 @@ echo "Done"
 				"-c",
 				modelDownloadCommand,
 			},
-			VolumeMounts: volumeMounts,
-			Resources:    downloaderContainerResources,
-			EnvFrom:      downloaderContainerEnvFrom,
+			VolumeMounts:    volumeMounts,
+			Resources:       downloaderContainerResources,
+			EnvFrom:         downloaderContainerEnvFrom,
+			SecurityContext: restrictedSecurityContext,
 		})
 	}
 
@@ -1488,14 +1501,13 @@ echo "Done"
 			Privileged: pointer.BoolPtr(true),
 		}
 	} else if buildEngine == BentoImageBuildEngineBuildkitRootless {
-		kubeAnnotations["container.apparmor.security.beta.kubernetes.io/builder"] = "unconfined"
-		builderContainerSecurityContext = &corev1.SecurityContext{
-			SeccompProfile: &corev1.SeccompProfile{
-				Type: corev1.SeccompProfileTypeUnconfined,
-			},
-			RunAsUser:  pointer.Int64Ptr(1000),
-			RunAsGroup: pointer.Int64Ptr(1000),
+		kubeAnnotations["container.apparmor.security.beta.kubernetes.io/builder"] = "runtime/default"
+		for _, container := range initContainers {
+			kubeAnnotations[fmt.Sprintf("container.apparmor.security.beta.kubernetes.io/%s", container.Name)] = "runtime/default"
 		}
+		builderContainerSecurityContext = restrictedSecurityContext.DeepCopy()
+		builderContainerSecurityContext.RunAsUser = pointer.Int64Ptr(1000)
+		builderContainerSecurityContext.RunAsGroup = pointer.Int64Ptr(1000)
 	}
 
 	// add build args to pass via --build-arg
@@ -1614,6 +1626,12 @@ echo "Done"
 			Containers: []corev1.Container{
 				container,
 			},
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsNonRoot: pointer.BoolPtr(true),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+			},
 		},
 	}
 

diff --git a/helm/yatai-image-builder/values.yaml b/helm/yatai-image-builder/values.yaml
@@ -27,16 +27,16 @@ serviceAccount:
 
 podAnnotations: {}
 
-podSecurityContext: {}
-  # fsGroup: 2000
+podSecurityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
 
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
 
 service:
   type: ClusterIP
@@ -96,7 +96,7 @@ aws:
   secretAccessKeyExistingSecretKey: ''
 
 internalImages:
-  bentoDownloader: quay.io/bentoml/bento-downloader:0.0.1
+  bentoDownloader: quay.io/bentoml/bento-downloader:0.0.3
   kaniko: quay.io/bentoml/kaniko:1.9.1
   buildkit: quay.io/bentoml/buildkit:master
   buildkitRootless: quay.io/bentoml/buildkit:master-rootless