From df7e2d6c8dd39058a949c520ed692f81721734d6 Mon Sep 17 00:00:00 2001 From: yetone Date: Tue, 10 Jan 2023 04:02:02 +0000 Subject: [PATCH] f --- container_images/buildah/Dockerfile | 5 +++++ scripts/quick-install-yatai-image-builder.sh | 13 ++++++++++++- tests/e2e/installation_test.sh | 6 +++--- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/container_images/buildah/Dockerfile b/container_images/buildah/Dockerfile index 91f9604..a3f1ae3 100644 --- a/container_images/buildah/Dockerfile +++ b/container_images/buildah/Dockerfile @@ -7,6 +7,11 @@ RUN touch /etc/subgid /etc/subuid \ ENV BUILDAH_ISOLATION=chroot +ARG BENTO_USER=bentoml +ARG BENTO_USER_UID=1034 +ARG BENTO_USER_GID=1034 +RUN groupadd -g $BENTO_USER_GID -o $BENTO_USER && useradd -m -u $BENTO_USER_UID -g $BENTO_USER_GID -o -r $BENTO_USER + USER build WORKDIR /home/build diff --git a/scripts/quick-install-yatai-image-builder.sh b/scripts/quick-install-yatai-image-builder.sh index fe4bec8..e5b3412 100755 --- a/scripts/quick-install-yatai-image-builder.sh +++ b/scripts/quick-install-yatai-image-builder.sh @@ -140,7 +140,7 @@ echo "✅ cert-manager is working properly" helm repo add twuni https://helm.twun.io helm repo update twuni echo "🤖 installing docker-registry..." -helm upgrade --install docker-registry twuni/docker-registry -n ${namespace} +helm upgrade --install docker-registry ./helm/docker-registry -n ${namespace} echo "⏳ waiting for docker-registry to be ready..." kubectl -n ${namespace} wait --for=condition=ready --timeout=600s pod -l app=docker-registry @@ -155,6 +155,8 @@ metadata: namespace: ${namespace} labels: app: docker-private-registry-proxy + annotations: + openshift.io/scc: hostnetwork spec: selector: matchLabels: @@ -165,6 +167,10 @@ spec: labels: app: docker-private-registry-proxy spec: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - args: - tcp @@ -181,6 +187,11 @@ spec: limits: cpu: 100m memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL EOF echo "⏳ waiting for docker-private-registry-proxy to be ready..." diff --git a/tests/e2e/installation_test.sh b/tests/e2e/installation_test.sh index d18cd27..afdaf31 100755 --- a/tests/e2e/installation_test.sh +++ b/tests/e2e/installation_test.sh @@ -2,12 +2,12 @@ set -xe -kubectl create ns yatai-system -kubectl create ns yatai-image-builder +kubectl create ns yatai-system || true +kubectl create ns yatai-image-builder || true kubectl create ns yatai || true echo "🚀 Creating AWS Secret Access Key..." -kubectl create secret generic aws-secret-access-key --from-literal=AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} --namespace yatai-image-builder +kubectl create secret generic aws-secret-access-key --from-literal=AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} --namespace yatai-image-builder || true echo "🚀 Installing yatai-image-builder..." YATAI_ENDPOINT='empty' USE_LOCAL_HELM_CHART=true UPGRADE_CRDS=false AWS_SECRET_ACCESS_KEY_EXISTING_SECRET_NAME=aws-secret-access-key AWS_SECRET_ACCESS_KEY_EXISTING_SECRET_KEY=AWS_SECRET_ACCESS_KEY bash ./scripts/quick-install-yatai-image-builder.sh echo "yatai-image-builder helm release values:"