Merge pull request #188 from snyk/feat/update-secure-config

ivanstanev · web-flow · commit 397cf8a99156 · 2019-11-01T16:34:21.000Z
Feat/update secure config
diff --git a/Dockerfile b/Dockerfile
@@ -29,25 +29,29 @@ LABEL maintainer="Snyk Ltd"
 
 ENV NODE_ENV production
 
-COPY --from=skopeo-build /usr/bin/skopeo /usr/bin/skopeo
-COPY --from=skopeo-build /etc/containers/registries.d/default.yaml /etc/containers/registries.d/default.yaml
-COPY --from=skopeo-build /etc/containers/policy.json /etc/containers/policy.json
-
-RUN apk --no-cache add db
-COPY --from=rpmdb-build /go/src/github.com/snyk/go-rpmdb/rpmdb /usr/bin/rpmdb
-
 RUN apk update
 RUN apk upgrade
+RUN apk --no-cache add db
+
+RUN addgroup -S -g 10001 snyk
+RUN adduser -S -G snyk -h /srv/app -u 10001 snyk
+
+WORKDIR /srv/app
+USER snyk:snyk
+
+COPY --chown=snyk:snyk --from=skopeo-build /usr/bin/skopeo /usr/bin/skopeo
+COPY --chown=snyk:snyk --from=skopeo-build /etc/containers/registries.d/default.yaml /etc/containers/registries.d/default.yaml
+COPY --chown=snyk:snyk --from=skopeo-build /etc/containers/policy.json /etc/containers/policy.json
 
-WORKDIR /root
+COPY --chown=snyk:snyk --from=rpmdb-build /go/src/github.com/snyk/go-rpmdb/rpmdb /usr/bin/rpmdb
 
 # Add manifest files and install before adding anything else to take advantage of layer caching
-ADD package.json package-lock.json .snyk ./
+ADD --chown=snyk:snyk package.json package-lock.json .snyk ./
 
 RUN npm install
 
 # add the rest of the app files
-ADD . .
+ADD --chown=snyk:snyk . .
 
 # Complete any `prepare` tasks (e.g. typescript), as this step ran automatically prior to app being copied
 RUN npm run prepare
diff --git a/snyk-monitor-deployment.yaml b/snyk-monitor-deployment.yaml
@@ -57,6 +57,16 @@ spec:
           limits:
             cpu: '1'
             memory: '2Gi'
+        securityContext:
+            runAsUser: 10001
+            runAsGroup: 10001
+            privileged: false
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            capabilities:
+              drop:
+                - ALL
       securityContext: {}
       volumes:
       - name: docker-config
diff --git a/snyk-monitor/templates/deployment.yaml b/snyk-monitor/templates/deployment.yaml
@@ -51,6 +51,16 @@ spec:
             limits:
               cpu: '1'
               memory: '2Gi'
+          securityContext:
+            runAsUser: 10001
+            runAsGroup: 10001
+            privileged: false
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            capabilities:
+              drop:
+                - ALL
       volumes:
         - name: docker-config
           secret:
diff --git a/test/unit/deployment-files.test.ts b/test/unit/deployment-files.test.ts
@@ -0,0 +1,44 @@
+import * as tap from 'tap';
+import { parse } from 'yaml';
+import { readFileSync } from 'fs';
+import { V1Deployment } from '@kubernetes/client-node';
+
+tap.test('ensure the security properties of the deployment files are unchanged', async (t) => {
+  const deploymentFiles = ['./snyk-monitor/templates/deployment.yaml', './snyk-monitor-deployment.yaml'];
+
+  for (const filePath of deploymentFiles) {
+    const fileContent = readFileSync(filePath, 'utf8');
+    const deployment: V1Deployment = parse(fileContent);
+
+    if (
+      !deployment.spec ||
+      !deployment.spec.template.spec ||
+      !deployment.spec.template.spec.containers ||
+      deployment.spec.template.spec.containers.length === 0 ||
+      !deployment.spec.template.spec.containers[0].securityContext
+    ) {
+      tap.fail('bad container spec or missing securityContext');
+      return;
+    }
+
+    const securityContext =
+      deployment.spec.template.spec.containers[0].securityContext;
+
+    if (!securityContext.capabilities) {
+      tap.fail('missing capabilities section in pod securityContext');
+      return;
+    }
+
+    tap.same(securityContext.capabilities, { drop: ['ALL'] }, 'all capabilities are dropped and none are added');
+    tap.ok(securityContext.allowPrivilegeEscalation === false, 'must explicitly set allowPrivilegeEscalation to false');
+    tap.ok(securityContext.privileged === false, 'must explicitly set privileged to false');
+    tap.ok(securityContext.runAsNonRoot === true, 'must explicitly set runAsNonRoot to true');
+    tap.ok(securityContext.runAsUser === 10001, 'must explicitly set runAsUser to 10001');
+    tap.ok(securityContext.runAsGroup === 10001, 'must explicitly set runAsGroup to 10001');
+
+    // TODO: currently we do not set this to true because skopeo pulls
+    // temporary files to /var/tmp and this behaviour is not configurable
+    // To be secure, this value MUST be set to "true"!
+    tap.ok(securityContext.readOnlyRootFilesystem === false, 'readOnlyRootFilesystem is not set ON PURPOSE');
+  }
+});
