Skip to content

(scorecard): Add new images for default untar and storage options #6335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Feb 28, 2023
Merged

(scorecard): Add new images for default untar and storage options #6335

merged 4 commits into from
Feb 28, 2023

Conversation

everettraven
Copy link
Contributor

Description of the change:

  • Adds new images definitions for building custom untar and storage images for scorecard that run as a non-root user by default
  • Updates defaults for the operator-sdk scorecard --storage-image and --untar-image options to use the new images so that scorecard pods are compliant with best practices for restricted PSA environments.
  • Updates the image build Makefile targets and GitHub actions to include building these images

Motivation for the change:

Checklist

If the pull request includes user-facing changes, extra documentation is required:

@everettraven
add images for scorecard untar and storage
715f09f 
Signed-off-by: Bryce Palmer <[email protected]>
@everettraven
Add new images for scorecard
fe984e0 
and use them as the default untar and storage images to ensure
that scorecard pods are fully compliant with restricted PSA. This
is done by making the images run as non-root by default (sets the user
to non-root in the Dockerfile)

fixes operator-framework#6295

Signed-off-by: Bryce Palmer <[email protected]>
@everettraven everettraven temporarily deployed to deploy February 23, 2023 21:29 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 23, 2023 21:29 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 23, 2023 21:29 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 23, 2023 21:29 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 23, 2023 21:29 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 23, 2023 21:29 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 23, 2023 21:29 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 23, 2023 21:29 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 23, 2023 21:29 — with GitHub Actions Inactive
@everettraven
Copy link
Contributor Author

everettraven commented Feb 23, 2023
edited
Loading

Holding for a bit for conversations and reviews.

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 23, 2023
@everettraven
Copy link
Contributor Author

@acornett21 or @theishshah Would you mind testing/taking a look at this? I tested this and everything looked good, but would like some further verification on this.

I tested this by doing the following:

  1. Creating a KinD cluster:
kind create cluster
  1. Creating a test namespace:
kubectl create ns scorecard-test-ns
  1. Setting the namespace as restricted:
kubectl label --overwrite ns scorecard-test-ns pod-security.kubernetes.io/audit=restricted pod-security.kubernetes.io/enforce-version=v1.25 pod-security.kubernetes.io/warn=restricted
  1. Running scorecard on a version of operator-sdk built from this PR:
operator-sdk scorecard --namespace scorecard-test-ns --pod-security=restricted bundle/

Note: The operator I tested with was from the testdata and is under testdata/go/v3/memcached-operator

everettraven
everettraven commented Feb 23, 2023
View reviewed changes
everettraven
everettraven commented Feb 23, 2023
View reviewed changes
@everettraven everettraven temporarily deployed to deploy February 23, 2023 22:12 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 23, 2023 22:12 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 23, 2023 22:12 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 23, 2023 22:12 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 23, 2023 22:12 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 23, 2023 22:12 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 23, 2023 22:12 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 23, 2023 22:13 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 23, 2023 22:13 — with GitHub Actions Inactive
@acornett21
Copy link
Contributor

@everettraven I can test this on Monday on OpenShift 4.12/4.13.

@acornett21
Copy link
Contributor

Tests Info Below for 4.12

oc version
Client Version: 4.8.11
Server Version: 4.12.3
Kubernetes Version: v1.25.4+a34b9e9

./operator-sdk scorecard --pod-security=restricted quay.io/opdev/simple-demo-operator-bundle:v0.0.6 --output json
{
  "kind": "TestList",
  "apiVersion": "scorecard.operatorframework.io/v1alpha3",
  "items": [
    {
      "kind": "Test",
      "apiVersion": "scorecard.operatorframework.io/v1alpha3",
      "spec": {
        "image": "quay.io/operator-framework/scorecard-test:v1.12.0",
        "entrypoint": [
          "scorecard-test",
          "olm-bundle-validation"
        ],
        "labels": {
          "suite": "olm",
          "test": "olm-bundle-validation-test"
        },
        "storage": {
          "spec": {
            "mountPath": {}
          }
        }
      },
...
./operator-sdk scorecard --pod-security=restricted quay.io/opdev/simple-demo-operator-bundle:v0.0.6 --output json --namespace scorecard-test
{
  "kind": "TestList",
  "apiVersion": "scorecard.operatorframework.io/v1alpha3",
  "items": [
    {
      "kind": "Test",
      "apiVersion": "scorecard.operatorframework.io/v1alpha3",
      "spec": {
        "image": "quay.io/operator-framework/scorecard-test:v1.12.0",
        "entrypoint": [
          "scorecard-test",
          "olm-status-descriptors"
        ],
        "labels": {
          "suite": "olm",
          "test": "olm-status-descriptors-test"
        },
        "storage": {
          "spec": {
            "mountPath": {}
          }
        }
      },
...

Tests for 4.13

 oc version
Client Version: 4.8.11
Server Version: 4.13.0-ec.3
Kubernetes Version: v1.26.0+9eb81c2

./operator-sdk scorecard --pod-security=restricted quay.io/opdev/simple-demo-operator-bundle:v0.0.6 --output json
{
  "kind": "TestList",
  "apiVersion": "scorecard.operatorframework.io/v1alpha3",
  "items": [
    {
      "kind": "Test",
      "apiVersion": "scorecard.operatorframework.io/v1alpha3",
      "spec": {
        "image": "quay.io/operator-framework/scorecard-test:v1.12.0",
        "entrypoint": [
          "scorecard-test",
          "basic-check-spec"
        ],
        "labels": {
          "suite": "basic",
          "test": "basic-check-spec-test"
        },
        "storage": {
          "spec": {
            "mountPath": {}
          }
        }
      },
...
./operator-sdk scorecard --pod-security=restricted quay.io/opdev/simple-demo-operator-bundle:v0.0.6 --output json
{
  "kind": "TestList",
  "apiVersion": "scorecard.operatorframework.io/v1alpha3",
  "items": [
    {
      "kind": "Test",
      "apiVersion": "scorecard.operatorframework.io/v1alpha3",
      "spec": {
        "image": "quay.io/operator-framework/scorecard-test:v1.12.0",
        "entrypoint": [
          "scorecard-test",
          "basic-check-spec"
        ],
        "labels": {
          "suite": "basic",
          "test": "basic-check-spec-test"
        },
        "storage": {
          "spec": {
            "mountPath": {}
          }
        }
      },

This looks good on both versions of OpenShift.

@everettraven
Copy link
Contributor Author

@acornett21 Thanks for the verification!

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 28, 2023
acornett21
acornett21 reviewed Feb 28, 2023
View reviewed changes
@everettraven
add missing newline
eaeaa67 
Signed-off-by: Bryce Palmer <[email protected]>
@everettraven everettraven temporarily deployed to deploy February 28, 2023 14:18 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 28, 2023 14:18 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 28, 2023 14:18 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 28, 2023 14:18 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 28, 2023 14:18 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 28, 2023 14:18 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 28, 2023 14:19 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 28, 2023 14:19 — with GitHub Actions Inactive
@everettraven everettraven temporarily deployed to deploy February 28, 2023 14:20 — with GitHub Actions Inactive
@oceanc80
Copy link
Collaborator

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 28, 2023
rashmigottipati
rashmigottipati approved these changes Feb 28, 2023
View reviewed changes
Copy link
Member

@rashmigottipati rashmigottipati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@grokspawn
Copy link
Contributor

/approve

@grokspawn grokspawn added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 28, 2023
@everettraven everettraven merged commit c57ebf9 into operator-framework:master Feb 28, 2023
shanemcd pushed a commit to shanemcd/operator-sdk that referenced this pull request Mar 3, 2023
@everettraven @shanemcd
(scorecard): Add new images for default untar and storage options (op…
e9414cc 
…erator-framework#6335)

* add images for scorecard untar and storage

Signed-off-by: Bryce Palmer <[email protected]>

* Add new images for scorecard

and use them as the default untar and storage images to ensure
that scorecard pods are fully compliant with restricted PSA. This
is done by making the images run as non-root by default (sets the user
to non-root in the Dockerfile)

fixes operator-framework#6295

Signed-off-by: Bryce Palmer <[email protected]>

* update images & docs;add changelog

Signed-off-by: Bryce Palmer <[email protected]>

* add missing newline

Signed-off-by: Bryce Palmer <[email protected]>

---------

Signed-off-by: Bryce Palmer <[email protected]>
shanemcd pushed a commit to shanemcd/operator-sdk that referenced this pull request Mar 3, 2023
@everettraven @shanemcd
(scorecard): Add new images for default untar and storage options (op…
80005c2 
…erator-framework#6335)

* add images for scorecard untar and storage

Signed-off-by: Bryce Palmer <[email protected]>

* Add new images for scorecard

and use them as the default untar and storage images to ensure
that scorecard pods are fully compliant with restricted PSA. This
is done by making the images run as non-root by default (sets the user
to non-root in the Dockerfile)

fixes operator-framework#6295

Signed-off-by: Bryce Palmer <[email protected]>

* update images & docs;add changelog

Signed-off-by: Bryce Palmer <[email protected]>

* add missing newline

Signed-off-by: Bryce Palmer <[email protected]>

---------

Signed-off-by: Bryce Palmer <[email protected]>
shanemcd pushed a commit to shanemcd/operator-sdk that referenced this pull request Mar 3, 2023
@everettraven @shanemcd
(scorecard): Add new images for default untar and storage options (op…
0006fb8 
…erator-framework#6335)

* add images for scorecard untar and storage

Signed-off-by: Bryce Palmer <[email protected]>

* Add new images for scorecard

and use them as the default untar and storage images to ensure
that scorecard pods are fully compliant with restricted PSA. This
is done by making the images run as non-root by default (sets the user
to non-root in the Dockerfile)

fixes operator-framework#6295

Signed-off-by: Bryce Palmer <[email protected]>

* update images & docs;add changelog

Signed-off-by: Bryce Palmer <[email protected]>

* add missing newline

Signed-off-by: Bryce Palmer <[email protected]>

---------

Signed-off-by: Bryce Palmer <[email protected]>
shanemcd pushed a commit to shanemcd/operator-sdk that referenced this pull request Mar 3, 2023
@everettraven @shanemcd
(scorecard): Add new images for default untar and storage options (op…
cda21ba 
…erator-framework#6335)

* add images for scorecard untar and storage

Signed-off-by: Bryce Palmer <[email protected]>

* Add new images for scorecard

and use them as the default untar and storage images to ensure
that scorecard pods are fully compliant with restricted PSA. This
is done by making the images run as non-root by default (sets the user
to non-root in the Dockerfile)

fixes operator-framework#6295

Signed-off-by: Bryce Palmer <[email protected]>

* update images & docs;add changelog

Signed-off-by: Bryce Palmer <[email protected]>

* add missing newline

Signed-off-by: Bryce Palmer <[email protected]>

---------

Signed-off-by: Bryce Palmer <[email protected]>
shanemcd pushed a commit to shanemcd/operator-sdk that referenced this pull request Mar 3, 2023
@everettraven @shanemcd
(scorecard): Add new images for default untar and storage options (op…
c60c6ff 
…erator-framework#6335)

* add images for scorecard untar and storage

Signed-off-by: Bryce Palmer <[email protected]>

* Add new images for scorecard

and use them as the default untar and storage images to ensure
that scorecard pods are fully compliant with restricted PSA. This
is done by making the images run as non-root by default (sets the user
to non-root in the Dockerfile)

fixes operator-framework#6295

Signed-off-by: Bryce Palmer <[email protected]>

* update images & docs;add changelog

Signed-off-by: Bryce Palmer <[email protected]>

* add missing newline

Signed-off-by: Bryce Palmer <[email protected]>

---------

Signed-off-by: Bryce Palmer <[email protected]>
@tonyskapunk tonyskapunk mentioned this pull request Apr 7, 2023
Closed
@tkrishtop tkrishtop mentioned this pull request May 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oceanc80 oceanc80 oceanc80 left review comments

@rashmigottipati rashmigottipati rashmigottipati approved these changes

@acornett21 acornett21 acornett21 approved these changes

@anik120 anik120 Awaiting requested review from anik120

@varshaprasad96 varshaprasad96 Awaiting requested review from varshaprasad96

Assignees

@rashmigottipati rashmigottipati

@oceanc80 oceanc80

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Scorecard] - Create images that run as a non-root user by default
5 participants
@everettraven @acornett21 @oceanc80 @grokspawn @rashmigottipati