Merge pull request #317 from Accenture/316-run-container-as-non-root-user

316 run rig container non-root user

Author: mmacai

Dockerfile

@@ -40,8 +40,11 @@ RUN apk add --no-cache bash
 ENV LANG C.UTF-8
 ENV LC_ALL C.UTF-8
 
+RUN addgroup -S rig -g 1000 && adduser -S rig -G rig --uid 1000
 WORKDIR /opt/sites/rig
 COPY --from=build /opt/sites/rig/_build/prod/rel/rig /opt/sites/rig/
+RUN chown -R rig:rig /opt/sites/rig
+USER rig
 
 # Proxy
 EXPOSE 4000

aws.dockerfile

@@ -49,9 +49,12 @@ ENV KINESIS_OTP_JAR=/opt/sites/rig/kinesis-client/local-maven-repo/org/erlang/ot
 # Install Java
 RUN apk add --no-cache openjdk8-jre
 
+RUN addgroup -S rig -g 1000 && adduser -S rig -G rig --uid 1000
 WORKDIR /opt/sites/rig
 COPY --from=elixir-build /opt/sites/rig/_build/prod/rel/rig /opt/sites/rig/
 COPY --from=java-build opt/sites/rig/kinesis-client /opt/sites/rig/kinesis-client
+RUN chown -R rig:rig /opt/sites/rig
+USER rig
 
 # Proxy
 EXPOSE 4000

deployment/helm/README.md

@@ -46,8 +46,8 @@ If you want to use local image (either original RIG or your own based on origina
 1. Switch to Minikube context `eval $(minikube docker-env)`
 1. Build your image `docker build -t rig .`
 1. Check `docker images` => new image should be listed there
-1. Supply the image name to the [values file](reactive-interaction-gateway/values.yaml) e.g. `repository: rig` (line 8)
-1. Add `imagePullPolicy: Never` under line 10 [values](reactive-interaction-gateway/values.yaml)
+1. Change the image name to `rig` in the [values file](reactive-interaction-gateway/values.yaml) (line 10)
+1. Change `imagePullPolicy` to `Never` in the [values file](reactive-interaction-gateway/values.yaml) (line 12)
 
 
 ## Start RIG on Kubernetes

deployment/helm/reactive-interaction-gateway/templates/_helpers.tpl

@@ -30,3 +30,14 @@ Create chart name and version as used by the chart label.
 {{- define "reactive-interaction-gateway.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{/*
+Return the appropriate apiVersion for deployment.
+*/}}
+{{- define "deployment.apiVersion" -}}
+{{- if semverCompare ">=1.9-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- print "apps/v1" -}}
+{{- else -}}
+{{- print "apps/v1beta2" -}}
+{{- end -}}
+{{- end -}}

deployment/helm/reactive-interaction-gateway/templates/deployment.yaml

@@ -1,4 +1,4 @@
-apiVersion: apps/v1beta2
+apiVersion: {{ template "deployment.apiVersion" . }}
 kind: Deployment
 metadata:
   name: {{ template "reactive-interaction-gateway.name" . }}
@@ -19,6 +19,10 @@ spec:
         app: {{ template "reactive-interaction-gateway.name" . }}
         release: {{ .Release.Name }}
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"

deployment/k8s/README.md

@@ -46,8 +46,8 @@ If you want to use local image (either original RIG or your own based on origina
 1. Switch to Minikube context `eval $(minikube docker-env)`
 1. Build your image `docker build -t rig .`
 1. Check `docker images` => new image should be listed there
-1. Supply image name to `rig_dns.yml` e.g. `image: rig` (line 44)
-1. Add `imagePullPolicy: Never` under line 44, so K8s won't try to pull local image
+1. Change the image name to `rig` in the `rig_dns.yml` (line 74)
+1. Add `imagePullPolicy: Never` just below the `image` line, so K8s won't try to pull the official image
 
 Start RIG in Minikube:
 

deployment/k8s/rig_dns.yml

@@ -38,146 +38,153 @@ metadata:
     app: reactive-interaction-gateway-service-headless
 spec:
   ports:
-  - port: 4000
-    name: proxy-http
-  - port: 4001
-    name: proxy-https
-  - port: 4010
-    name: internal-http
-  - port: 4011
-    name: internal-https
+    - port: 4000
+      name: proxy-http
+    - port: 4001
+      name: proxy-https
+    - port: 4010
+      name: internal-http
+    - port: 4011
+      name: internal-https
   selector:
     app: reactive-interaction-gateway-deployment
   clusterIP: None
 ---
 
-apiVersion: apps/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: reactive-interaction-gateway-deployment
 spec:
   replicas: 1
+  selector:
+    matchLabels:
+      app: reactive-interaction-gateway-deployment
   template:
     metadata:
       labels:
         app: reactive-interaction-gateway-deployment
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
       containers:
-      - name: reactive-interaction-gateway
-        image: accenture/reactive-interaction-gateway
-        ports:
-        - containerPort: 4000
-        - containerPort: 4001
-        - containerPort: 4010
-        - containerPort: 4011
-        env:
-          ## Ports
-        - name: API_HTTP_PORT
-          value: "4010"
-        - name: API_HTTPS_PORT
-          value: "4011"
-        - name: INBOUND_PORT
-          value: "4000"
-        - name: INBOUND_HTTPS_PORT
-          value: "4001"
-        ## Hostname for HTTP endpoints
-        # - name: HOST
-        #   value: "localhost"
-        ## HTTPS
-        # - name: HTTPS_CERTFILE
-        #   value: "cert/signed.pem"
-        # - name: HTTPS_KEYFILE
-        #   value: "cert/signed_key.pem"
-        # - name: HTTPS_KEYFILE_PASS
-        #   value: "asdf"
-        ## CORS (Access-Control-Allow-Origin) for "inbound" port
-        # - name: CORS: "*"
-        ## Discovery & node
-        - name: DISCOVERY_TYPE
-          value: "dns"
-        ## Change "default" if you are using different namespace
-        - name: DNS_NAME
-          value: "reactive-interaction-gateway-headless.default.svc.cluster.local"
-        - name: NODE_COOKIE
-          value: "magiccookie"
-        - name: NODE_HOST
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-        ## Kafka
-        ## Setting "KAFKA_BROKERS" automatically enables usage of Kafka in RIG
-        # - name: KAFKA_BROKERS
-        #   value: "localhost:9092"
-        # - name: KAFKA_SOURCE_TOPICS
-        #   value: "rig"
-        # - name: KAFKA_GROUP_ID
-        #   value: "rig"
-        # - name: KAFKA_RESTART_DELAY_MS
-        #   value: "10000"
-        # - name: KAFKA_LOG_TOPIC
-        #   value: "rig-request-log"
-        ## Kafka SASL
-        # - name: KAFKA_SASL
-        #   value: "plain:myusername:mypassword"
-        ## Kafka SSL
-        # - name: KAFKA_SSL_ENABLED
-        #   value: "1"
-        # - name: KAFKA_SSL_CA_CERTFILE
-        #   value: "ca.crt.pem"
-        # - name: KAFKA_SSL_CERTFILE
-        #   value: "client.crt.pem"
-        # - name: KAFKA_SSL_KEYFILE
-        #   value: "client.key.pem"
-        # - name: KAFKA_SSL_KEYFILE_PASS
-        #   value: "asdf"
-        ## Kinesis
-        # - name: KINESIS_ENABLED
-        #   value: "1"
-        # - name: KINESIS_STREAM
-        #   value: "RIG-outbound"
-        # - name: KINESIS_APP_NAME
-        #   value: "Reactive-Interaction-Gateway"
-        # - name: KINESIS_AWS_REGION
-        #   value: "eu-west-1"
-        # - name: KINESIS_LOG_LEVEL
-        #   value: "INFO"
-        ## Proxy
-        # - name: PROXY_CONFIG_FILE
-        #   value: "/proxy.json"
-        # - name: PROXY_RECV_TIMEOUT
-        #   value: "5000"
-        ## Proxy Kafka
-        # - name: PROXY_KAFKA_RESPONSE_TOPICS
-        #   value: "rig-proxy-response"
-        # - name: PROXY_KAFKA_REQUEST_TOPIC
-        #   value: "rig-proxy-request"
-        # - name: PROXY_KAFKA_RESPONSE_TIMEOUT
-        #   value: "5000"
-        ## Proxy Kinesis
-        # - name: PROXY_KINESIS_REQUEST_STREAM
-        #   value: "rig-proxy-request"
-        # - name: PROXY_KINESIS_REQUEST_REGION
-        #   value: "eu-west-1"
-        # - name: PROXY_KINESIS_RESPONSE_TIMEOUT
-        #   value: "5000"
-        ## Extractors
-        # - name: EXTRACTORS
-        #   value: '{"greeting":{"name":{"stable_field_index":1,"event":{"json_pointer":"/name"}}}}'
-        ## JWT
-        # - name: JWT_SECRET_KEY
-        #   value: "asdf"
-        # - name: JWT_ALG
-        #   value: "HS256"
-        # - name: JWT_SESSION_FIELD
-        #   value: "/userId"
-        ## Logging
-        # - name: REQUEST_LOG
-        #   value: "console,kafka"
-        - name: LOG_LEVEL
-          value: "debug"
-        ## SSE, WS
-        # - name: SUBSCRIPTION_CHECK
-        #   value: "jwt_validation"
-        ## HTTP events endpoint
-        # - name: SUBMISSION_CHECK
-        #   value: "jwt_validation"
+        - name: reactive-interaction-gateway
+          image: accenture/reactive-interaction-gateway
+          ports:
+            - containerPort: 4000
+            - containerPort: 4001
+            - containerPort: 4010
+            - containerPort: 4011
+          env:
+            ## Ports
+            - name: API_HTTP_PORT
+              value: "4010"
+            - name: API_HTTPS_PORT
+              value: "4011"
+            - name: INBOUND_PORT
+              value: "4000"
+            - name: INBOUND_HTTPS_PORT
+              value: "4001"
+            ## Hostname for HTTP endpoints
+            # - name: HOST
+            #   value: "localhost"
+            ## HTTPS
+            # - name: HTTPS_CERTFILE
+            #   value: "cert/signed.pem"
+            # - name: HTTPS_KEYFILE
+            #   value: "cert/signed_key.pem"
+            # - name: HTTPS_KEYFILE_PASS
+            #   value: "asdf"
+            ## CORS (Access-Control-Allow-Origin) for "inbound" port
+            # - name: CORS: "*"
+            ## Discovery & node
+            - name: DISCOVERY_TYPE
+              value: "dns"
+            ## Change "default" if you are using different namespace
+            - name: DNS_NAME
+              value: "reactive-interaction-gateway-headless.default.svc.cluster.local"
+            - name: NODE_COOKIE
+              value: "magiccookie"
+            - name: NODE_HOST
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            ## Kafka
+            ## Setting "KAFKA_BROKERS" automatically enables usage of Kafka in RIG
+            # - name: KAFKA_BROKERS
+            #   value: "localhost:9092"
+            # - name: KAFKA_SOURCE_TOPICS
+            #   value: "rig"
+            # - name: KAFKA_GROUP_ID
+            #   value: "rig"
+            # - name: KAFKA_RESTART_DELAY_MS
+            #   value: "10000"
+            # - name: KAFKA_LOG_TOPIC
+            #   value: "rig-request-log"
+            ## Kafka SASL
+            # - name: KAFKA_SASL
+            #   value: "plain:myusername:mypassword"
+            ## Kafka SSL
+            # - name: KAFKA_SSL_ENABLED
+            #   value: "1"
+            # - name: KAFKA_SSL_CA_CERTFILE
+            #   value: "ca.crt.pem"
+            # - name: KAFKA_SSL_CERTFILE
+            #   value: "client.crt.pem"
+            # - name: KAFKA_SSL_KEYFILE
+            #   value: "client.key.pem"
+            # - name: KAFKA_SSL_KEYFILE_PASS
+            #   value: "asdf"
+            ## Kinesis
+            # - name: KINESIS_ENABLED
+            #   value: "1"
+            # - name: KINESIS_STREAM
+            #   value: "RIG-outbound"
+            # - name: KINESIS_APP_NAME
+            #   value: "Reactive-Interaction-Gateway"
+            # - name: KINESIS_AWS_REGION
+            #   value: "eu-west-1"
+            # - name: KINESIS_LOG_LEVEL
+            #   value: "INFO"
+            ## Proxy
+            # - name: PROXY_CONFIG_FILE
+            #   value: "/proxy.json"
+            # - name: PROXY_RECV_TIMEOUT
+            #   value: "5000"
+            ## Proxy Kafka
+            # - name: PROXY_KAFKA_RESPONSE_TOPICS
+            #   value: "rig-proxy-response"
+            # - name: PROXY_KAFKA_REQUEST_TOPIC
+            #   value: "rig-proxy-request"
+            # - name: PROXY_KAFKA_RESPONSE_TIMEOUT
+            #   value: "5000"
+            ## Proxy Kinesis
+            # - name: PROXY_KINESIS_REQUEST_STREAM
+            #   value: "rig-proxy-request"
+            # - name: PROXY_KINESIS_REQUEST_REGION
+            #   value: "eu-west-1"
+            # - name: PROXY_KINESIS_RESPONSE_TIMEOUT
+            #   value: "5000"
+            ## Extractors
+            # - name: EXTRACTORS
+            #   value: '{"greeting":{"name":{"stable_field_index":1,"event":{"json_pointer":"/name"}}}}'
+            ## JWT
+            # - name: JWT_SECRET_KEY
+            #   value: "asdf"
+            # - name: JWT_ALG
+            #   value: "HS256"
+            # - name: JWT_SESSION_FIELD
+            #   value: "/userId"
+            ## Logging
+            # - name: REQUEST_LOG
+            #   value: "console,kafka"
+            - name: LOG_LEVEL
+              value: "debug"
+          ## SSE, WS
+          # - name: SUBSCRIPTION_CHECK
+          #   value: "jwt_validation"
+          ## HTTP events endpoint
+          # - name: SUBMISSION_CHECK
+          #   value: "jwt_validation"