-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve controller container security #1112
Comments
Hi @philnichol, Thank you so much fo bringing this to our attention. We have plans to enable regular image scan on ACK controller images in near future, and we will work for patching the security vulnerabilities that are currently present ASAP. |
Issue #, if available: aws-controllers-k8s/community#1112 Description of changes: * use Dockerfile from code-generator for building controller image * This helps in maintaining only single Dockerfile for building ACK controller images By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
I've pushed this draft just in case it helps at all since the work had been done, but no worries if it's not the direction you're after :) aws-controllers-k8s/code-generator#254 |
Issue #, if available: Relates aws-controllers-k8s/community#1112 Description of changes: - ~~No longer runs as root, runs as nobody instead, since runtime is from scratch I've added a "dummy" /etc/shadow file~~ - ~~Runtime image is now "from scratch" since we don't need much other than ca-certs and the binary itself (eg. curl, vim, etc)~~ - Standard principle of least privilege security caps in deployment manifest (drop all plus explicit least privilege deployment/pod settings and capabilities) This is a draft since there's still stuff missing, and not sure if you would want to go in a different direction By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Issue #, if available: aws-controllers-k8s/community#1112 Description of changes: * Upgrade of controller-runtime to v0.11.0 * Upgrade of go.mod to 1.17 because that is minimal go version for controller-runtime library * Keeping the indirect import in go.mod file because removing them causes the error "go.mod needs changes. Run go mod tidy" during local development > At go 1.17 and above, the go command adds an indirect requirement for each module that provides any package imported (even indirectly) by a package or test in the main module or passed as an argument to go get. These more comprehensive requirements enable module graph pruning and lazy module loading. * `Reconcile` method in reconcilers now accepts a `context.Context` parameter * Replace `ACK RuntimeMetaObject` with `controller-runtime Object` * Replace `desired.RuntimeObject().DeepCopyObject()` with `desired.DeepCopy().RuntimeObject()` because the former does not return implementation of `controller-runtime Object` * Remove `RuntimeMetaObject()` method from AWSResource interface * Use `controller-runtime client Object` instead of `apimachinery runtime Object` ------ * Tested locally by running e2e tests for ecr-controller * Validated that newly generated image has no golang security vulnerabilities. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Issue #, if available: aws-controllers-k8s/community#1112 Description of changes: * Update base image to `public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:2021-12-01-1638322424` and golang image to `1.17.5` for building controller images * Updated the `deployment.yaml` files to runAsUser 1000. This userId was selected as random. * Updated ACK runtime to `v0.16.0` ---------------- * validated that controller runs correctly when executed as non root user * tested locally by running ecr-controller e2e tests * validated that there were no security vulnerabilities in generated image By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
…-controllers-k8s#167) Issue #, if available: aws-controllers-k8s/community#1112 Description of changes: * use Dockerfile from code-generator for building controller image * This helps in maintaining only single Dockerfile for building ACK controller images By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
All these vulnerabilities are resolved now and ACK controller image now run as non-root. I am closing this issue and creating new issue for aws-sdk-go upgrade . #1128 |
Hi and thanks in advance for reading this 😄
Is your feature request related to a problem?
Currently if I scan the ACK controller images for vulnerabilities and CIS standards it does not pass, this means introducing potential vulnerabilities, and forcing me to raise Risk Acceptance requests with security in order to use this in production
Output from live container image:
Describe the solution you'd like
I would propose we update the templates in code-generator to do the following:
Describe alternatives you've considered
I had a go at using a non-root scratch container that ran the s3 e2e tests which removed all CIS warnings and reduced the vulnerabilities (and removed all 7 CRITICAL vulns) to only the ones in the final go binary, let me know if this is something of interest since I'd be happy to tidy up and contribute this.
The text was updated successfully, but these errors were encountered: