From 855bf341908a39a2c01711624403ca909ec8ad00 Mon Sep 17 00:00:00 2001 From: Markus Lehtonen Date: Thu, 28 May 2020 15:10:03 +0300 Subject: [PATCH 1/2] Dockerfile: run as non-root --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index 078749098d..41b4c1b29b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,6 +25,9 @@ RUN make test # Create production image for running node feature discovery FROM debian:stretch-slim +# Run as unprivileged user +USER 65534:65534 + # Use more verbose logging of gRPC ENV GRPC_GO_LOG_SEVERITY_LEVEL="INFO" From 3cd2d34ea7e2a94fea23db318873613ddbc01e11 Mon Sep 17 00:00:00 2001 From: Markus Lehtonen Date: Thu, 28 May 2020 15:16:15 +0300 Subject: [PATCH 2/2] Add container security context to the sample deployment specs Run under strict rules. We shouldn't need any special privileges. --- nfd-daemonset-combined.yaml.template | 12 ++++++++++++ nfd-master.yaml.template | 6 ++++++ nfd-worker-daemonset.yaml.template | 6 ++++++ nfd-worker-job.yaml.template | 6 ++++++ 4 files changed, 30 insertions(+) diff --git a/nfd-daemonset-combined.yaml.template b/nfd-daemonset-combined.yaml.template index 8d77bd57d7..0074d8f5ec 100644 --- a/nfd-daemonset-combined.yaml.template +++ b/nfd-daemonset-combined.yaml.template @@ -64,6 +64,12 @@ spec: fieldPath: spec.nodeName image: quay.io/kubernetes_incubator/node-feature-discovery:v0.5.0 name: nfd-master + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: true + runAsNonRoot: true command: - "nfd-master" - env: @@ -73,6 +79,12 @@ spec: fieldPath: spec.nodeName image: quay.io/kubernetes_incubator/node-feature-discovery:v0.5.0 name: nfd-worker + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: true + runAsNonRoot: true command: - "nfd-worker" args: diff --git a/nfd-master.yaml.template b/nfd-master.yaml.template index 5057ac025b..4891f2e190 100644 --- a/nfd-master.yaml.template +++ b/nfd-master.yaml.template @@ -79,6 +79,12 @@ spec: fieldPath: spec.nodeName image: quay.io/kubernetes_incubator/node-feature-discovery:v0.5.0 name: nfd-master + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: true + runAsNonRoot: true command: - "nfd-master" ## Enable TLS authentication diff --git a/nfd-worker-daemonset.yaml.template b/nfd-worker-daemonset.yaml.template index dd3d23e014..1579b21d61 100644 --- a/nfd-worker-daemonset.yaml.template +++ b/nfd-worker-daemonset.yaml.template @@ -23,6 +23,12 @@ spec: fieldPath: spec.nodeName image: quay.io/kubernetes_incubator/node-feature-discovery:v0.5.0 name: nfd-worker + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: true + runAsNonRoot: true command: - "nfd-worker" args: diff --git a/nfd-worker-job.yaml.template b/nfd-worker-job.yaml.template index e3db89aed3..e962b96946 100644 --- a/nfd-worker-job.yaml.template +++ b/nfd-worker-job.yaml.template @@ -32,6 +32,12 @@ spec: fieldPath: spec.nodeName image: quay.io/kubernetes_incubator/node-feature-discovery:v0.5.0 name: nfd-worker + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: true + runAsNonRoot: true command: - "nfd-worker" args: