adding non root user and ore secure settings for contianer

warroyo · Nov 13, 2020 · c51d3bc · c51d3bc
1 parent 1a89504
commit c51d3bc
Show file tree

Hide file tree

Showing 3 changed files with 81 additions and 25 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -2,11 +2,12 @@ FROM photon:3.0
 
 COPY proxy.sh /proxy.sh
 
-RUN tdnf update && tdnf install -y jq openssh-clients && \
+RUN tdnf update -y && tdnf install -y jq openssh-clients shadow && \
     curl -LO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl" && \
     chmod +x ./kubectl && \
     mv ./kubectl /usr/local/bin/kubectl && \
-    chmod +x /proxy.sh
+    chmod +x /proxy.sh && \
+    groupadd inject && useradd -G inject inject
 
 ENTRYPOINT [ "/proxy.sh" ]
 

diff --git a/install.sh b/install.sh
@@ -32,8 +32,16 @@ set +e
 
 NUM=5
 ip=${sv_ip}
+success=0
 for i in $(seq 1 $NUM);
 do
+echo "checking if ip is in use"
+if nc -z $ip 22 2>/dev/null; then
+    echo "$ip is up"
+else
+    echo "$ip is not in use skipping"
+    continue
+fi
 echo "copying image tar to ${ip}"
 sshpass -p "${sv_pass}" scp -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ./proxy-inject.tar.gz root@"${ip}":./proxy-inject.tar.gz >> /dev/null
 if [ $? -eq 0 ] ;
@@ -61,13 +69,20 @@ sshpass -p "${sv_pass}" ssh -t -q -o StrictHostKeyChecking=no -o UserKnownHostsF
 rm ./proxy-inject.tar.gz
 EOF
 ip=$(nextip $ip)
+success=$((success+1))
 done
 
+if [ $success -lt 4 ];
+then
+      echo "unable to upload image to all SV VMs please check their connectivity"
+      exit 2
+fi
+
 manifest=./manifest-nsxt.yml
 if [ "${NETWORK}" = "VSPHERE_NETWORK" ];
 then
-echo "using VDS networking"
-manifest=./manifest-vds.yml
+      echo "using VDS networking"
+      manifest=./manifest-vds.yml
 fi
 
 echo "injecting environment vars into manifest file"

diff --git a/manifest-vds.yml b/manifest-vds.yml
@@ -1,3 +1,28 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: proxy-inject
+spec:
+  fsGroup:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
+  privileged: false
+  runAsUser:
+    rule: MustRunAsNonRoot
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
+  hostNetwork: true
+  volumes:
+  - '*'
+---
+
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -18,6 +43,11 @@ rules:
     verbs:
       - get
       - list
+  - apiGroups: ['policy']
+    resources: ['podsecuritypolicies']
+    verbs:     ['use']
+    resourceNames:
+      - proxy-inject
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -52,8 +82,12 @@ spec:
         app: proxy-inject
     spec:
       serviceAccountName: internal-kubectl
+      securityContext:
+        runAsUser: 100
+        runAsGroup: 1000
+        fsGroup: 1000
       containers:
-      - image: docker-registry.kube-system.svc:5000/vmware/proxy-inject:1.2.0
+      - image: localhost:5000/vmware/proxy-inject:1.2.0
         imagePullPolicy: Always
         name: proxy-inject
         env:
@@ -72,23 +106,29 @@ spec:
           limits:
             memory: "256Mi"
             cpu: "500m"
-        dnsPolicy: ClusterFirst
-        hostNetwork: true
-        nodeSelector:
-          node-role.kubernetes.io/master: ""
-        tolerations:
-          - effect: NoSchedule
-            key: node-role.kubernetes.io/master
-            operator: Exists
-          - key: CriticalAddonsOnly
-            operator: Exists
-          - effect: NoExecute
-            key: node.alpha.kubernetes.io/notReady
-            operator: Exists
-          - effect: NoExecute
-            key: node.alpha.kubernetes.io/unreachable
-            operator: Exists
-          - effect: NoSchedule
-            key: kubeadmNode
-            operator: Equal
-            value: master
+        volumeMounts:
+          - mountPath: /tmp
+            name: tmp
+      volumes:
+      - emptyDir: {}
+        name: tmp
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Exists
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - effect: NoExecute
+          key: node.alpha.kubernetes.io/notReady
+          operator: Exists
+        - effect: NoExecute
+          key: node.alpha.kubernetes.io/unreachable
+          operator: Exists
+        - effect: NoSchedule
+          key: kubeadmNode
+          operator: Equal
+          value: master