Remove admin privileges

* Remove admin priviliged rights: `anyuid` and `cluster-admin`. * Add uidwrapper to set a fixed username By default openshift runs as random user which get git < 2.0 confused and fail its operations. Use a wrapper around some containers (git-init/creds-init) to set a fixed uid. https://docs.okd.io/latest/creating_images/guidelines.html#openshift-specific-guidelines * Use some trickery for envsubst Envsubst is a stuborn whiny child who wants to subst our variables even tho we don't want to modify those. Since there is no way to exclude some variables, we have our beautiful DOLLAR string replacing the dollar and we sed 's//' it after that envsubst have done its dirty work. Signed-off-by: Chmouel Boudjnah <chmouel@redhat.com>
openshift · Apr 17, 2019 · 1d9ef22 · 1d9ef22
1 parent 5fa66cb
commit 1d9ef22
Show file tree

Hide file tree

Showing 7 changed files with 54 additions and 9 deletions.
diff --git a/Makefile b/Makefile
@@ -6,7 +6,7 @@ CORE_IMAGES=./cmd/bash ./cmd/controller ./cmd/entrypoint ./cmd/gsutil ./cmd/kube
 CORE_IMAGES_WITH_GIT=./cmd/creds-init ./cmd/git-init
 
 # Install core images
-install:
+install: installuidwrapper
 	go install $(CORE_IMAGES) $(CORE_IMAGES_WITH_GIT)
 .PHONY: install
 
@@ -20,3 +20,8 @@ generate-dockerfiles:
 	./openshift/ci-operator/generate-dockerfiles.sh openshift/ci-operator/Dockerfile.in openshift/ci-operator/knative-images $(CORE_IMAGES)
 	./openshift/ci-operator/generate-dockerfiles.sh openshift/ci-operator/Dockerfile-git.in openshift/ci-operator/knative-images $(CORE_IMAGES_WITH_GIT)
 .PHONY: generate-dockerfiles
+
+# NOTE(chmou): Install uidwraper for launching some binaries with fixed uid
+UIDWRAPPER_PATH=./openshift/ci-operator/uidwrapper
+installuidwrapper: $(UIDWRAPPER_PATH)
+	install -m755 $(UIDWRAPPER_PATH) $(GOPATH)/bin/
diff --git a/openshift/ci-operator/Dockerfile-git.in b/openshift/ci-operator/Dockerfile-git.in
@@ -1,7 +1,19 @@
 # Do not edit! This file was generated via Makefile
 FROM registry.svc.ci.openshift.org/openshift/origin-v4.0:base
 
+# NOTE(chmou): We use dollar here so that envsubst don't get confused and expand
+# our local PATH.
+ENV HOME=/ko-app PATH=DOLLAR{HOME}:DOLLAR{PATH}
 RUN yum install -y git openssh-client
 
-ADD ${bin} /ko-app/${bin}
+COPY ${bin} DOLLAR{HOME}/${bin}.orig
+COPY uidwrapper DOLLAR{HOME}/${bin}
+
+RUN chgrp -R 0 DOLLAR{HOME} && \
+    chmod -R g=u DOLLAR{HOME} /etc/passwd
+
 ENTRYPOINT ["/ko-app/${bin}"]
+
+# Local Variables:
+# mode: dockerfile
+# End:
diff --git a/openshift/ci-operator/generate-dockerfiles.sh b/openshift/ci-operator/generate-dockerfiles.sh
@@ -8,7 +8,7 @@ function generate_dockefiles() {
   for img in $@; do
     local image_base=$(basename $img)
     mkdir -p $target_dir/$image_base
-    bin=$image_base envsubst < $dockerfile_in > $target_dir/$image_base/Dockerfile
+    bin=$image_base envsubst < $dockerfile_in | sed 's/DOLLAR/$/g'  > $target_dir/$image_base/Dockerfile
   done
 }
 

diff --git a/openshift/ci-operator/knative-images/creds-init/Dockerfile b/openshift/ci-operator/knative-images/creds-init/Dockerfile
@@ -1,7 +1,19 @@
 # Do not edit! This file was generated via Makefile
 FROM registry.svc.ci.openshift.org/openshift/origin-v4.0:base
 
+# NOTE(chmou): We use dollar here so that envsubst don't get confused and expand
+# our local PATH.
+ENV HOME=/ko-app PATH=${HOME}:${PATH}
 RUN yum install -y git openssh-client
 
-ADD creds-init /ko-app/creds-init
+COPY creds-init ${HOME}/creds-init.orig
+COPY uidwrapper ${HOME}/creds-init
+
+RUN chgrp -R 0 ${HOME} && \
+    chmod -R g=u ${HOME} /etc/passwd
+
 ENTRYPOINT ["/ko-app/creds-init"]
+
+# Local Variables:
+# mode: dockerfile
+# End:
diff --git a/openshift/ci-operator/knative-images/git-init/Dockerfile b/openshift/ci-operator/knative-images/git-init/Dockerfile
@@ -1,7 +1,19 @@
 # Do not edit! This file was generated via Makefile
 FROM registry.svc.ci.openshift.org/openshift/origin-v4.0:base
 
+# NOTE(chmou): We use dollar here so that envsubst don't get confused and expand
+# our local PATH.
+ENV HOME=/ko-app PATH=${HOME}:${PATH}
 RUN yum install -y git openssh-client
 
-ADD git-init /ko-app/git-init
+COPY git-init ${HOME}/git-init.orig
+COPY uidwrapper ${HOME}/git-init
+
+RUN chgrp -R 0 ${HOME} && \
+    chmod -R g=u ${HOME} /etc/passwd
+
 ENTRYPOINT ["/ko-app/git-init"]
+
+# Local Variables:
+# mode: dockerfile
+# End:
diff --git a/openshift/ci-operator/uidwrapper b/openshift/ci-operator/uidwrapper
@@ -0,0 +1,8 @@
+#!/bin/sh
+if ! whoami &> /dev/null; then
+  if [ -w /etc/passwd ]; then
+    echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
+  fi
+fi
+
+exec ${0}.orig $@
diff --git a/openshift/e2e-tests-openshift.sh b/openshift/e2e-tests-openshift.sh
@@ -17,10 +17,6 @@ env
 function install_tekton_pipeline() {
   header "Installing Tekton Pipeline"
 
-  # Grant the necessary privileges to the service accounts Knative will use:
-  oc adm policy add-scc-to-user anyuid -z tekton-pipelines-controller -n $TEKTON_PIPELINE_NAMESPACE
-  oc adm policy add-cluster-role-to-user cluster-admin -z tekton-pipelines-controller -n $TEKTON_PIPELINE_NAMESPACE
-
   create_pipeline
 
   wait_until_pods_running $TEKTON_PIPELINE_NAMESPACE || return 1