(scorecard): Add new images for default untar and storage options (operator-framework#6335)

* add images for scorecard untar and storage

Signed-off-by: Bryce Palmer <[email protected]>

* Add new images for scorecard

and use them as the default untar and storage images to ensure
that scorecard pods are fully compliant with restricted PSA. This
is done by making the images run as non-root by default (sets the user
to non-root in the Dockerfile)

fixes operator-framework#6295

Signed-off-by: Bryce Palmer <[email protected]>

* update images & docs;add changelog

Signed-off-by: Bryce Palmer <[email protected]>

* add missing newline

Signed-off-by: Bryce Palmer <[email protected]>

---------

Signed-off-by: Bryce Palmer <[email protected]>

Author: everettraven

.github/workflows/deploy-manual.yml

@@ -17,6 +17,13 @@ jobs:
     environment: deploy
     steps:
 
+    # https://github.com/orgs/community/discussions/47863
+    - name: update packages
+      run: |
+        sudo apt-mark hold grub-efi-amd64-signed
+        sudo apt-get update --fix-missing
+        sudo apt upgrade -y
+
     - name: set up qemu
       uses: docker/setup-qemu-action@v2
 
@@ -48,7 +55,7 @@ jobs:
         fi
         echo "tag=${IMG}:${TAG}" >> $GITHUB_OUTPUT
         echo "git_commit=${GIT_COMMIT}" >> $GITHUB_OUTPUT
-    
+
     - name: create 2.11-base tag
       id: base_tag_211
       run: |
@@ -67,65 +74,65 @@ jobs:
       with:
         file: ./images/ansible-operator/base.Dockerfile
         context: ./images/ansible-operator
-        platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
+        platforms: linux/s390x
         push: true
         tags: ${{ steps.base_tag_29.outputs.tag }}
         build-args: |
           GIT_COMMIT=${{ steps.base_tag_29.outputs.git_commit }}
 
-    - name: build and push ansible 2.11 dep image
-      uses: docker/build-push-action@v3
-      with:
-        file: ./images/ansible-operator-2.11-preview/base.Dockerfile
-        context: ./images/ansible-operator-2.11-preview
-        platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
-        push: true
-        tags: ${{ steps.base_tag_211.outputs.tag }}
-        build-args: |
-          GIT_COMMIT=${{ steps.base_tag_211.outputs.git_commit }}
+    # - name: build and push ansible 2.11 dep image
+    #   uses: docker/build-push-action@v3
+    #   with:
+    #     file: ./images/ansible-operator-2.11-preview/base.Dockerfile
+    #     context: ./images/ansible-operator-2.11-preview
+    #     platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
+    #     push: true
+    #     tags: ${{ steps.base_tag_211.outputs.tag }}
+    #     build-args: |
+    #       GIT_COMMIT=${{ steps.base_tag_211.outputs.git_commit }}
 
-    # This change will be staged and committed in the PR pushed below.
-    # The script below will fail if no change was made.
-    - name: update base of ansible-operator 2.9
-      id: update_29
-      run: |
-        set -ex
-        sed -i -E 's|FROM quay\.io/operator-framework/ansible-operator-base:.+|FROM ${{ steps.base_tag_29.outputs.tag }}|g' images/ansible-operator/Dockerfile
-        git diff --exit-code --quiet && echo "Failed to update images/ansible-operator/Dockerfile" && exit 1
-        REF="${{ github.event.ref }}"
-        echo "branch_name=${REF##*/}" >> $GITHUB_OUTPUT
-
-    - name: create PR for ansible-operator 2.9 Dockerfile
-      uses: peter-evans/create-pull-request@v3
-      with:
-        title: "[${{ steps.update_29.outputs.branch_name }}] image(ansible-operator): bump base to ${{ steps.base_tag_29.outputs.tag }}"
-        commit-message: |
-          [${{ steps.update_29.outputs.branch_name }}] image(ansible-operator): bump base to ${{ steps.base_tag_29.outputs.tag }}
-
-          Signed-off-by: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
-        body: "New ansible-operator-base image built by https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-        delete-branch: true
-        branch-suffix: short-commit-hash
-
-    # This change will be staged and committed in the PR pushed below.
-    # The script below will fail if no change was made.
-    - name: update base of ansible-operator-2.11-preview
-      id: update_211
-      run: |
-        set -ex
-        sed -i -E 's|FROM quay\.io/operator-framework/ansible-operator-2.11-preview-base:.+|FROM ${{ steps.base_tag_211.outputs.tag }}|g' images/ansible-operator-2.11-preview/Dockerfile
-        git diff --exit-code --quiet && echo "Failed to update images/ansible-operator-11-preview-base/Dockerfile" && exit 1
-        REF="${{ github.event.ref }}"
-        echo "branch_name=${REF##*/}" >> $GITHUB_OUTPUT
-
-    - name: create PR for ansible-operator-2.11-preview Dockerfile
-      uses: peter-evans/create-pull-request@v3
-      with:
-        title: "[${{ steps.update_211.outputs.branch_name }}] image(ansible-operator-2.11-preview): bump base to ${{ steps.base_tag_211.outputs.tag }}"
-        commit-message: |
-          [${{ steps.update_211.outputs.branch_name }}] image(ansible-operator-2.11-preview): bump base to ${{ steps.base_tag_211.outputs.tag }}
-
-          Signed-off-by: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
-        body: "New ansible-operator-2.11-preview-base image built by https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-        delete-branch: true
-        branch-suffix: short-commit-hash
+    # # This change will be staged and committed in the PR pushed below.
+    # # The script below will fail if no change was made.
+    # - name: update base of ansible-operator 2.9
+    #   id: update_29
+    #   run: |
+    #     set -ex
+    #     sed -i -E 's|FROM quay\.io/operator-framework/ansible-operator-base:.+|FROM ${{ steps.base_tag_29.outputs.tag }}|g' images/ansible-operator/Dockerfile
+    #     git diff --exit-code --quiet && echo "Failed to update images/ansible-operator/Dockerfile" && exit 1
+    #     REF="${{ github.event.ref }}"
+    #     echo "branch_name=${REF##*/}" >> $GITHUB_OUTPUT
+
+    # - name: create PR for ansible-operator 2.9 Dockerfile
+    #   uses: peter-evans/create-pull-request@v3
+    #   with:
+    #     title: "[${{ steps.update_29.outputs.branch_name }}] image(ansible-operator): bump base to ${{ steps.base_tag_29.outputs.tag }}"
+    #     commit-message: |
+    #       [${{ steps.update_29.outputs.branch_name }}] image(ansible-operator): bump base to ${{ steps.base_tag_29.outputs.tag }}
+
+    #       Signed-off-by: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
+    #     body: "New ansible-operator-base image built by https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+    #     delete-branch: true
+    #     branch-suffix: short-commit-hash
+
+    # # This change will be staged and committed in the PR pushed below.
+    # # The script below will fail if no change was made.
+    # - name: update base of ansible-operator-2.11-preview
+    #   id: update_211
+    #   run: |
+    #     set -ex
+    #     sed -i -E 's|FROM quay\.io/operator-framework/ansible-operator-2.11-preview-base:.+|FROM ${{ steps.base_tag_211.outputs.tag }}|g' images/ansible-operator-2.11-preview/Dockerfile
+    #     git diff --exit-code --quiet && echo "Failed to update images/ansible-operator-11-preview-base/Dockerfile" && exit 1
+    #     REF="${{ github.event.ref }}"
+    #     echo "branch_name=${REF##*/}" >> $GITHUB_OUTPUT
+
+    # - name: create PR for ansible-operator-2.11-preview Dockerfile
+    #   uses: peter-evans/create-pull-request@v3
+    #   with:
+    #     title: "[${{ steps.update_211.outputs.branch_name }}] image(ansible-operator-2.11-preview): bump base to ${{ steps.base_tag_211.outputs.tag }}"
+    #     commit-message: |
+    #       [${{ steps.update_211.outputs.branch_name }}] image(ansible-operator-2.11-preview): bump base to ${{ steps.base_tag_211.outputs.tag }}
+
+    #       Signed-off-by: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
+    #     body: "New ansible-operator-2.11-preview-base image built by https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+    #     delete-branch: true
+    #     branch-suffix: short-commit-hash

.github/workflows/deploy.yml

@@ -72,7 +72,7 @@ jobs:
     environment: deploy
     strategy:
       matrix:
-        id: ["operator-sdk", "helm-operator", "scorecard-test", "ansible-operator", "ansible-operator-2.11-preview"]
+        id: ["operator-sdk", "helm-operator", "scorecard-test", "ansible-operator", "ansible-operator-2.11-preview", "scorecard-storage", "scorecard-untar"]
     steps:
 
     - name: set up qemu

Makefile

@@ -92,7 +92,7 @@ build/scorecard-test build/scorecard-test-kuttl build/custom-scorecard-tests:
 
 # Convenience wrapper for building all remotely hosted images.
 .PHONY: image-build
-IMAGE_TARGET_LIST = operator-sdk helm-operator ansible-operator ansible-operator-2.11-preview scorecard-test scorecard-test-kuttl
+IMAGE_TARGET_LIST = operator-sdk helm-operator ansible-operator ansible-operator-2.11-preview scorecard-test scorecard-test-kuttl scorecard-untar scorecard-storage
 image-build: $(foreach i,$(IMAGE_TARGET_LIST),image/$(i)) ## Build all images.
 
 # Convenience wrapper for building dependency base images.

changelog/fragments/03-scorecard-image-psa.yaml

@@ -0,0 +1,18 @@
+# entries is a list of entries to include in
+# release notes and/or the migration guide
+entries:
+  - description: >
+      (scorecard): update default storage and untar images to images
+      that run as non-root users by default. This ensures full compliance
+      with restricted PSA guidelines when using `--pod-security=restricted`.
+
+    # kind is one of:
+    # - addition
+    # - change
+    # - deprecation
+    # - removal
+    # - bugfix
+    kind: "bugfix"
+
+    # Is this a breaking change?
+    breaking: false

images/scorecard-storage/Dockerfile

@@ -0,0 +1,12 @@
+FROM docker.io/busybox:1.36
+
+## Create a new non-root user to run as
+ENV HOME=/opt/scorecard-untar \
+    USER_NAME=scorecard-untar \
+    USER_UID=1001
+
+RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd
+
+WORKDIR ${HOME}
+
+USER ${USER_UID}

images/scorecard-untar/Dockerfile

@@ -0,0 +1,12 @@
+FROM registry.access.redhat.com/ubi8:8.7
+
+## Create a new non-root user to run as
+ENV HOME=/opt/scorecard-untar \
+    USER_NAME=scorecard-untar \
+    USER_UID=1001
+
+RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd
+
+WORKDIR ${HOME}
+
+USER ${USER_UID}

internal/cmd/operator-sdk/scorecard/cmd.go

@@ -91,10 +91,10 @@ If the argument holds an image tag, it must be present remotely.`,
 	scorecardCmd.Flags().DurationVarP(&c.waitTime, "wait-time", "w", 30*time.Second,
 		"seconds to wait for tests to complete. Example: 35s")
 	scorecardCmd.Flags().StringVarP(&c.storageImage, "storage-image", "b",
-		"docker.io/library/busybox@sha256:c71cb4f7e8ececaffb34037c2637dc86820e4185100e18b4d02d613a9bd772af",
+		"quay.io/operator-framework/scorecard-storage:latest",
 		"Storage image to be used by the Scorecard pod")
 	scorecardCmd.Flags().StringVarP(&c.untarImage, "untar-image", "u",
-		"registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7",
+		"quay.io/operator-framework/scorecard-untar:latest",
 		"Untar image to be used by the Scorecard pod")
 	scorecardCmd.Flags().StringVarP(&c.testOutput, "test-output", "t", "test-output",
 		"Test output directory.")

internal/cmd/operator-sdk/scorecard/cmd_test.go

@@ -69,12 +69,12 @@ var _ = Describe("Running the scorecard command", func() {
 			flag = cmd.Flags().Lookup("storage-image")
 			Expect(flag).NotTo(BeNil())
 			Expect(flag.Shorthand).To(Equal("b"))
-			Expect(flag.DefValue).To(Equal("docker.io/library/busybox@sha256:c71cb4f7e8ececaffb34037c2637dc86820e4185100e18b4d02d613a9bd772af"))
+			Expect(flag.DefValue).To(Equal("quay.io/operator-framework/scorecard-storage:latest"))
 
 			flag = cmd.Flags().Lookup("untar-image")
 			Expect(flag).NotTo(BeNil())
 			Expect(flag.Shorthand).To(Equal("u"))
-			Expect(flag.DefValue).To(Equal("registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7"))
+			Expect(flag.DefValue).To(Equal("quay.io/operator-framework/scorecard-untar:latest"))
 		})
 	})
 

internal/scorecard/scorecard.go

@@ -227,8 +227,6 @@ func (r PodTestRunner) RunTest(ctx context.Context, test v1alpha3.TestConfigurat
 		// creating a pod security context to support running in default namespace
 		podSecCtx := v1.PodSecurityContext{}
 		podSecCtx.RunAsNonRoot = &podSec
-		podSecCtx.RunAsUser = &[]int64{1000}[0]
-		podSecCtx.RunAsGroup = &[]int64{1000}[0]
 		podSecCtx.SeccompProfile = &v1.SeccompProfile{
 			Type: v1.SeccompProfileTypeRuntimeDefault,
 		}

website/content/en/docs/cli/operator-sdk_scorecard.md

@@ -28,9 +28,9 @@ operator-sdk scorecard [flags]
   -l, --selector string          label selector to determine which tests are run
   -s, --service-account string   Service account to use for tests (default "default")
   -x, --skip-cleanup             Disable resource cleanup after tests are run
-  -b, --storage-image string     Storage image to be used by the Scorecard pod (default "docker.io/library/busybox@sha256:c71cb4f7e8ececaffb34037c2637dc86820e4185100e18b4d02d613a9bd772af")
+  -b, --storage-image string     Storage image to be used by the Scorecard pod (default "quay.io/operator-framework/scorecard-storage:latest")
   -t, --test-output string       Test output directory. (default "test-output")
-  -u, --untar-image string       Untar image to be used by the Scorecard pod (default "registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7")
+  -u, --untar-image string       Untar image to be used by the Scorecard pod (default "quay.io/operator-framework/scorecard-untar:latest")
   -w, --wait-time duration       seconds to wait for tests to complete. Example: 35s (default 30s)
 ```