Skip to content

Commit

Permalink
Simplify container permissions (#274)
Browse files Browse the repository at this point in the history
* Simplify container permissions

* Replace old refs to /home/rapidast
  • Loading branch information
sfowl authored Dec 19, 2024
1 parent 20d4063 commit 35ca73a
Show file tree
Hide file tree
Showing 8 changed files with 8 additions and 67 deletions.
2 changes: 1 addition & 1 deletion config/config-template-trivy-k8s-scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ scanners:
# 'inline' is used when container.type is not 'podman'
# 'toolDir' specifies the default directory where inline scripts are located
#toolDir: scanners/generic/tools
inline: "trivy k8s --kubeconfig=/home/rapidast/.kube/config -n default pod --scanners=misconfig --report all --format json | convert_trivy_k8s_to_sarif.py"
inline: "trivy k8s --kubeconfig=/opt/rapidast/.kube/config -n default pod --scanners=misconfig --report all --format json | convert_trivy_k8s_to_sarif.py"

container:
parameters:
Expand Down
14 changes: 6 additions & 8 deletions containerize/Containerfile
Original file line number Diff line number Diff line change
Expand Up @@ -72,14 +72,12 @@ RUN microdnf install -y --setopt=install_weak_deps=0 java-11-openjdk shadow-util
pip3 install --no-cache-dir -r /opt/rapidast/requirements.txt && \
ln -s /opt/redocly/node_modules/@redocly/cli/bin/cli.js /usr/local/bin/redocly

### Allow the `dast` usergroup to make modifications to rapidast
RUN groupadd dast && \
chown -R :dast /opt/rapidast && \
chmod -R g+w /opt/rapidast && \
### Allow a user of random UID(e.g. on OpenShift) to create a custom scan policy file
chmod -R a+w /opt/rapidast/scanners/zap/policies && \
useradd -u 1000 -d /home/rapidast -m -s /bin/bash -G dast rapidast && \
echo rapidast:rapidast | chpasswd
RUN useradd -u 1000 -d /opt/rapidast -m -s /bin/bash rapidast && \
chown -R 1000 /opt/rapidast && \
# OpenShift runs containers with arbitrary user ids, belonging to root group
chgrp -R 0 /opt/rapidast && \
chmod -R g=u /opt/rapidast

USER rapidast
WORKDIR /opt/rapidast
ENV HOME /opt/rapidast
4 changes: 0 additions & 4 deletions e2e-tests/manifests/rapidast-nessus-pod.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,6 @@ spec:
- -c
- ./rapidast.py
env:
- name: HOME
value: /opt/rapidast
- name: NESSUS_USER
value: admin
- name: NESSUS_PASSWORD
Expand All @@ -28,8 +26,6 @@ spec:
volumeMounts:
- name: config-volume
mountPath: /opt/rapidast/config
securityContext:
supplementalGroups: [1000] # "dast" group, necessary to write to /opt/rapidast/results if no PVC mounted
volumes:
- name: config-volume
configMap:
Expand Down
8 changes: 0 additions & 8 deletions e2e-tests/manifests/rapidast-oobtkube-pod.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,6 @@ spec:
- bash
- -c
- ./rapidast.py
env:
- name: HOME
value: /opt/rapidast
image: ${IMAGE} # quay.io/redhatproductsecurity/rapidast:latest
imagePullPolicy: Always
name: rapidast-oobtkube
Expand All @@ -25,13 +22,8 @@ spec:
- name: config-volume
mountPath: /opt/rapidast/config
serviceAccountName: ${SERVICEACCOUNT} # oobtkube needs perms to query API server
securityContext:
supplementalGroups: [1000] # "dast" group, necessary to write to /opt/rapidast/results if no PVC mounted
volumes:
- name: config-volume
configMap:
name: rapidast-oobtkube
# - name: results-volume
# persistentVolumeClaim:
# claimName: rapidast-results
restartPolicy: Never
8 changes: 0 additions & 8 deletions e2e-tests/manifests/rapidast-trivy-pod.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,6 @@ spec:
- bash
- -c
- ./rapidast.py
env:
- name: HOME
value: /opt/rapidast
image: ${IMAGE} # quay.io/redhatproductsecurity/rapidast:latest
imagePullPolicy: Always
name: rapidast-trivy
Expand All @@ -26,13 +23,8 @@ spec:
- name: config-volume
mountPath: /opt/rapidast/config
serviceAccountName: ${SERVICEACCOUNT} # trivy needs perms to query API server
securityContext:
supplementalGroups: [1000] # "dast" group, necessary to write to /opt/rapidast/results if no PVC mounted
volumes:
- name: config-volume
configMap:
name: rapidast-trivy
# - name: results-volume
# persistentVolumeClaim:
# claimName: rapidast-results
restartPolicy: Never
23 changes: 0 additions & 23 deletions e2e-tests/manifests/rapidast-vapi-pod.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,6 @@ spec:
- bash
- -c
- "./rapidast.py && cat results/*/*/zap/zap-report.json" # ugly, but saves needing a PVC to retrieve .json file after execution
# - "./rapidast.py --log-level debug && sleep infinity" # keep the pod alive so we can exec into it to parse reports
env:
- name: HOME
value: /opt/rapidast
image: ${IMAGE} # quay.io/redhatproductsecurity/rapidast:latest
imagePullPolicy: Always
name: rapidast-vapi
Expand All @@ -26,27 +22,8 @@ spec:
volumeMounts:
- name: config-volume
mountPath: /opt/rapidast/config
# - name: results-volume
# mountPath: /opt/rapidast/results
securityContext:
supplementalGroups: [1000] # "dast" group, necessary to write to /opt/rapidast/results if no PVC mounted
volumes:
- name: config-volume
configMap:
name: rapidast-vapi
# - name: results-volume
# persistentVolumeClaim:
# claimName: rapidast-results
restartPolicy: Never
# ---
# apiVersion: v1
# kind: PersistentVolumeClaim
# metadata:
# name: rapidast-results
# spec:
# accessModes:
# - ReadWriteOnce
# volumeMode: Filesystem
# resources:
# requests:
# storage: 1Gi
2 changes: 1 addition & 1 deletion helm/chart/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ template:
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
# Since Helm configmap cannot handle the dash character but the policy name undner scanPolicyXML' in 'values.yaml' is 'helm-custom-scan', the dest file name of the copy command is 'helm-custom-scan.policy'.
# This file will be used if the rapidast config specifies 'helm-custom-scan' for the activeScan policy.
# Otherwise, '/home/rapidast/.ZAP/policies/API-scan-minimal.policy' will be used by default.
# Otherwise, '/opt/rapidast/.ZAP/policies/API-scan-minimal.policy' will be used by default.
command: ["sh", "-c", "cp /helm/config/helmcustomscan.policy /opt/rapidast/scanners/zap/policies/helm-custom-scan.policy && rapidast.py --config /helm/config/rapidastconfig.yaml"]
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
Expand Down
14 changes: 0 additions & 14 deletions scanners/zap/zap_none.py
Original file line number Diff line number Diff line change
Expand Up @@ -92,9 +92,6 @@ def setup(self):
if self.state != State.ERROR:
self.state = State.READY

# Change HOME if needed
self._create_home_if_needed()

def run(self):
"""If the state is READY, run the final run command on the local machine
There is no need to call super() here.
Expand Down Expand Up @@ -267,14 +264,3 @@ def _handle_plugins(self):
logging.warning(
f"ZAP did not handle the addon requirements correctly, and exited with code {result.returncode}"
)

def _create_home_if_needed(self):
"""Some tools (most notably: ZAP's Ajax Spider with Firefox) require a writable home directory.
When RapiDAST is run in Openshift, the user's home is /, which is not writable.
In that case, create a temporary directory and redirect $HOME to that directory
"""
# test if HOME is writable. In that case, nothing needs to be done
if os.access(os.environ["HOME"], os.W_OK):
return
os.environ["HOME"] = self._create_temp_dir("home")
logging.debug(f"Replaced HOME directory, to {os.environ['HOME']}")

0 comments on commit 35ca73a

Please sign in to comment.