Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Work with nonroot invocation images #42

Merged
merged 1 commit into from
May 20, 2022

Conversation

carolynvs
Copy link
Collaborator

@carolynvs carolynvs commented Feb 24, 2022

This updates the helm3 mixin for the upcoming change in Porter (v1) where bundles will run as the nonroot user instead of root. Starting in v1.0.0-alpha.12, porter injects files into the bundle differently, owned by a nonroot user and the root group. Previously the kubeconfig creds were injected to /root/.kube/config by most bundles. That location isn't accessible when running as a nonroot user. Any kubeconfig credentials should be updated to be placed in /home/nonroot/.kube/config or another location in /cnab/app that the nonroot user will have access to while exporting KUBECONFIG so it can be located by kubectl/helm.

I have updated helm3 to locate kubeconfig using the same logic as kubectl, using the KUBECONFIG environment variable, then $HOME/.kube/config.

It also switches the user that some commands run as during build. Installing helm should run as root, but initializing the helm repositories should run as the same user that the container runs as, nonroot so that the .helm config directory is located in /home/nonroot where it can be read when the bundle is executed.

fmt.Fprintf(m.Err, "DEBUG: addition of repository failed: %s\n", err.Error())
if err != nil {
if m.Debug {
fmt.Fprintf(m.Err, "DEBUG: addition of repository failed: %s\n", err.Error())
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure why this is hidden behind a debug flag? Seems like this will silently fail otherwise when they were relying on it to use the bundle. Should we return an error instead?

@carolynvs carolynvs force-pushed the configureable-kubeconfig branch from 864f450 to 9c48a31 Compare April 11, 2022 20:30
This updates the helm3 mixin for the upcoming change in Porter (v1)
where bundles will run as the nonroot user instead of root.
Starting in v1.0.0-alpha.12, porter injects files into the bundle
differently, owned by a nonroot user and the root group.
Previously the kubeconfig creds were injected to /root/.kube/config by
most bundles. That location isn't accessible when running as a nonroot user.
Any kubeconfig credentials should be updated to be placed in
/home/nonroot/.kube/config or another location in /cnab/app that the
nonroot user will have access to while exporting KUBECONFIG so it can be
located by kubectl/helm.

I have updated helm3 to locate kubeconfig using the same logic as kubectl,
using the KUBECONFIG environment variable, then $HOME/.kube/config.

It also switches the user that some commands run as during build.
Installing helm should run as root, but initializing the helm
repositories should run as the same user that the container runs as,
nonroot so that the .helm config directory is located in /home/nonroot
where it can be read when the bundle is executed.

Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com>
@carolynvs carolynvs force-pushed the configureable-kubeconfig branch from 9c48a31 to 8df61c1 Compare April 11, 2022 20:34
@carolynvs carolynvs marked this pull request as ready for review April 11, 2022 20:36
@carolynvs
Copy link
Collaborator Author

@MChorfa Okay this is ready for review, apologies for not submitting it sooner!

If you have any questions about the recent changes to execute bundles as a nonroot user, just ask. I realize a lot of this information hasn't been communicated yet. Basically porter changed to fix a security problem and now some of the mixins are impacted because we don't run as root anymore.

@MChorfa MChorfa merged commit 92d7633 into MChorfa:master May 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants