operator-framework · everettraven · Feb 28, 2023 · Feb 15, 2023 · Feb 23, 2023 · Feb 23, 2023
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -72,7 +72,7 @@ jobs:
     environment: deploy
     strategy:
       matrix:
-        id: ["operator-sdk", "helm-operator", "scorecard-test", "ansible-operator", "ansible-operator-2.11-preview"]
+        id: ["operator-sdk", "helm-operator", "scorecard-test", "ansible-operator", "ansible-operator-2.11-preview", "scorecard-storage", "scorecard-untar"]
     steps:
 
     - name: set up qemu

diff --git a/Makefile b/Makefile
@@ -92,7 +92,7 @@ build/scorecard-test build/scorecard-test-kuttl build/custom-scorecard-tests:
 
 # Convenience wrapper for building all remotely hosted images.
 .PHONY: image-build
-IMAGE_TARGET_LIST = operator-sdk helm-operator ansible-operator ansible-operator-2.11-preview scorecard-test scorecard-test-kuttl
+IMAGE_TARGET_LIST = operator-sdk helm-operator ansible-operator ansible-operator-2.11-preview scorecard-test scorecard-test-kuttl scorecard-untar scorecard-storage
 image-build: $(foreach i,$(IMAGE_TARGET_LIST),image/$(i)) ## Build all images.
 
 # Convenience wrapper for building dependency base images.

diff --git a/images/scorecard-storage/Dockerfile b/images/scorecard-storage/Dockerfile
@@ -0,0 +1,12 @@
+FROM docker.io/busybox:1.36
+
+## Create a new non-root user to run as
+ENV HOME=/opt/scorecard-untar \
+    USER_NAME=scorecard-untar \
+    USER_UID=1001
+
+RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd
+
+WORKDIR ${HOME}
+
+USER ${USER_UID}
diff --git a/images/scorecard-untar/Dockerfile b/images/scorecard-untar/Dockerfile
@@ -0,0 +1,12 @@
+FROM registry.access.redhat.com/ubi8:8.7
+
+## Create a new non-root user to run as
+ENV HOME=/opt/scorecard-untar \
+    USER_NAME=scorecard-untar \
+    USER_UID=1001
+
+RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd
+
+WORKDIR ${HOME}
+
+USER ${USER_UID}
diff --git a/internal/cmd/operator-sdk/scorecard/cmd.go b/internal/cmd/operator-sdk/scorecard/cmd.go
@@ -91,10 +91,10 @@ If the argument holds an image tag, it must be present remotely.`,
 	scorecardCmd.Flags().DurationVarP(&c.waitTime, "wait-time", "w", 30*time.Second,
 		"seconds to wait for tests to complete. Example: 35s")
 	scorecardCmd.Flags().StringVarP(&c.storageImage, "storage-image", "b",
-		"docker.io/library/busybox@sha256:c71cb4f7e8ececaffb34037c2637dc86820e4185100e18b4d02d613a9bd772af",
+		"docker.io/bpalmer/scorecard-storage:dev",
 		"Storage image to be used by the Scorecard pod")
 	scorecardCmd.Flags().StringVarP(&c.untarImage, "untar-image", "u",
-		"registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7",
+		"docker.io/bpalmer/scorecard-untar:dev",
 		"Untar image to be used by the Scorecard pod")
 	scorecardCmd.Flags().StringVarP(&c.testOutput, "test-output", "t", "test-output",
 		"Test output directory.")

diff --git a/internal/scorecard/scorecard.go b/internal/scorecard/scorecard.go
@@ -227,8 +227,6 @@ func (r PodTestRunner) RunTest(ctx context.Context, test v1alpha3.TestConfigurat
 		// creating a pod security context to support running in default namespace
 		podSecCtx := v1.PodSecurityContext{}
 		podSecCtx.RunAsNonRoot = &podSec
-		podSecCtx.RunAsUser = &[]int64{1000}[0]
-		podSecCtx.RunAsGroup = &[]int64{1000}[0]
 		podSecCtx.SeccompProfile = &v1.SeccompProfile{
 			Type: v1.SeccompProfileTypeRuntimeDefault,
 		}