feat: set readOnlyRootFilesystem, change temp storage mount path

Upgrade and pin to snyk-docker-plugin version 1.34.0.

The static scanning options now accept a file path to a temporary directory for saving snyk-docker-plugin files.
To be used in combination with readOnlyRootFilesystem and the directory for pulling temporary images.

Enable readOnlyRootFilesystem on the deployment files but also change the temporary storage mount path.
Regardless of where we store pulled images, skopeo seems to pull temporary files under /var/tmp and this behaviour is not configurable.
Because of that we cannot enable readOnlyRootFilesystem unless we also mount our temporary storage there.

Author: ivanstanev

package-lock.json

@@ -44,7 +44,7 @@
     "needle": "^2.4.0",
     "response-time": "^2.3.2",
     "snyk-config": "^2.2.0",
-    "snyk-docker-plugin": "^1.33.0",
+    "snyk-docker-plugin": "1.34.0",
     "source-map-support": "^0.5.9",
     "tslib": "^1.9.3",
     "ws": "^7.0.0",

package.json

@@ -25,7 +25,7 @@ spec:
           readOnly: true
           mountPath: "/root/.docker"
         - name: temporary-storage
-          mountPath: "/snyk-monitor"
+          mountPath: "/var/tmp"
         env:
           - name: SNYK_INTEGRATION_ID
             valueFrom:
@@ -58,6 +58,7 @@ spec:
             cpu: '1'
             memory: '2Gi'
         securityContext:
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
               - ALL

snyk-monitor-deployment.yaml

@@ -31,7 +31,7 @@ spec:
             readOnly: true
             mountPath: "/root/.docker"
           - name: temporary-storage
-            mountPath: "/snyk-monitor"
+            mountPath: "/var/tmp"
           env:
           - name: SNYK_INTEGRATION_ID
             valueFrom:
@@ -52,6 +52,7 @@ spec:
               cpu: '1'
               memory: '2Gi'
           securityContext:
+            readOnlyRootFilesystem: true
             capabilities:
               drop:
                 - ALL

snyk-monitor/templates/deployment.yaml

@@ -7,6 +7,6 @@ const config = require('snyk-config')(__dirname + '/../..', {
 config.AGENT_ID = uuidv4();
 config.INTEGRATION_ID = config.INTEGRATION_ID.trim();
 config.CLUSTER_NAME = config.CLUSTER_NAME || 'Default cluster';
-config.IMAGE_STORAGE_ROOT = '/snyk-monitor';
+config.IMAGE_STORAGE_ROOT = '/var/tmp';
 
 export = config;

src/common/config.ts

@@ -2,6 +2,7 @@ import * as plugin from 'snyk-docker-plugin';
 import logger = require('../common/logger');
 import { IStaticAnalysisOptions, StaticAnalysisImageType } from './types';
 import { IPullableImage } from '../images/types';
+import config = require('../common/config');
 
 export interface IScanResult {
   image: string;
@@ -33,6 +34,7 @@ function constructStaticAnalysisOptions(
     staticAnalysisOptions: {
       imagePath: fileSystemPath,
       imageType: StaticAnalysisImageType.DockerArchive,
+      tmpDirPath: config.IMAGE_STORAGE_ROOT,
     },
   };
 }

src/kube-scanner/image-scanner.ts

@@ -29,6 +29,7 @@ export enum StaticAnalysisImageType {
 export interface IStaticAnalysisOptions {
   imagePath: string;
   imageType: StaticAnalysisImageType;
+  tmpDirPath: string;
 }
 
 export interface KubeObjectMetadata {

src/kube-scanner/types.ts

@@ -33,5 +33,10 @@ export function validateSecureConfiguration(test: tap, deployment: V1Deployment)
       'CAP_SYS_ADMIN not added',
     );
   }
+
+  test.ok(
+    securityContext.readOnlyRootFilesystem === true,
+    'readOnlyRootFilesystem is set',
+  );
 }