Skip to content

Commit

Permalink
UD-1931: Revert back to UD-1521 fsgroup behaviour and include runAsGroup
Browse files Browse the repository at this point in the history
  • Loading branch information
knrc committed Nov 6, 2024
1 parent d5f5813 commit 749ea97
Show file tree
Hide file tree
Showing 7 changed files with 48 additions and 12 deletions.
2 changes: 1 addition & 1 deletion charts/zora/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ The following table lists the configurable parameters of the Zora chart and thei
| scan.plugins.trivy.envFrom | list | `[]` | List of sources to populate environment variables in trivy container. |
| scan.plugins.trivy.timeout | string | `"10m"` | Trivy timeout |
| scan.plugins.trivy.insecure | bool | `false` | Allow insecure server connections for Trivy |
| scan.plugins.trivy.fsGroup | int | `nil` | Trivy fsGroup. Should be greater than 0. |
| scan.plugins.trivy.fsGroup | int | `3000` | Specifies the fsGroup to use when mounting the persistent volume. Should be greater than 0. |
| scan.plugins.trivy.persistence.enabled | bool | `true` | Specifies whether Trivy vulnerabilities database should be persisted between the scans, using PersistentVolumeClaim |
| scan.plugins.trivy.persistence.accessMode | string | `"ReadWriteOnce"` | [Persistence access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) |
| scan.plugins.trivy.persistence.storageClass | string | `""` | [Persistence storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). Set to empty for default storage class |
Expand Down
4 changes: 2 additions & 2 deletions charts/zora/templates/operator/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -104,8 +104,8 @@ spec:
- --worker-image={{ printf "%s:%s" .Values.scan.worker.image.repository (.Values.scan.worker.image.tag | default .Chart.AppVersion) }}
- --cronjob-clusterrolebinding-name=zora-plugins-rolebinding
- --cronjob-serviceaccount-name=zora-plugins
- --trivy-db-pvc={{- if .Values.scan.plugins.trivy.persistence.enabled }}trivy-db-volume{{- end }}
- --trivy-fs-group={{- if .Values.scan.plugins.trivy.fsGroup }}{{ .Values.scan.plugins.trivy.fsGroup }}{{- else }}0{{- end}}
- --trivy-db-pvc={{- if .Values.scan.plugins.trivy.persistence.enabled }}trivy-dbs-volume{{- end }}
- --trivy-fs-group={{ .Values.scan.plugins.trivy.fsGroup }}
{{- if .Values.scan.plugins.annotations}}
- --cronjob-serviceaccount-annotations={{ $first := true }}{{- range $key, $value := .Values.scan.plugins.annotations }}{{if not $first}},{{else}}{{$first = false}}{{end}}{{ $key }}={{$value}}{{- end }}
{{- end }}
Expand Down
10 changes: 5 additions & 5 deletions charts/zora/templates/plugins/trivy-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,9 @@ spec:
volumes:
- name: trivy-db
persistentVolumeClaim:
claimName: trivy-db-volume
{{- if .Values.scan.plugins.trivy.fsGroup }}
claimName: trivy-dbs-volume
securityContext:
fsGroup: {{ .Values.scan.plugins.trivy.fsGroup }}
{{- end }}
containers:
- name: trivy-download-db
image: "{{ .Values.scan.plugins.trivy.image.repository }}:{{ .Values.scan.plugins.trivy.image.tag }}"
Expand All @@ -42,6 +40,7 @@ spec:
- ALL
privileged: false
runAsNonRoot: true
runAsGroup: {{ .Values.scan.plugins.trivy.fsGroup }}
seccompProfile:
type: "RuntimeDefault"
volumeMounts:
Expand All @@ -66,8 +65,9 @@ spec:
{{- if .Values.scan.plugins.trivy.insecure }}
--insecure \
{{- end }}
--download-java-db-only
{{- end }}
--download-java-db-only {{- end }} && \
find /tmp/trivy-cache ! -group {{ .Values.scan.plugins.trivy.fsGroup }} | xargs -r chgrp -f {{ .Values.scan.plugins.trivy.fsGroup }} && \
find /tmp/trivy-cache ! -perm -070 | xargs -r chmod -f g+rwX
env:
- name: SSL_CERT_DIR
value: "/etc/ssl/:/run/secrets/kubernetes.io/serviceaccount/"
Expand Down
2 changes: 1 addition & 1 deletion charts/zora/templates/plugins/trivy-pvc.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: trivy-db-volume
name: trivy-dbs-volume
spec:
{{- if .Values.scan.plugins.trivy.persistence.storageClass }}
storageClassName: {{ .Values.scan.plugins.trivy.persistence.storageClass | quote }}
Expand Down
28 changes: 28 additions & 0 deletions charts/zora/templates/plugins/trivy-scc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: zora-scc
fsGroup:
type: MustRunAs
ranges:
- min: {{ .Values.scan.plugins.trivy.fsGroup }}
max: {{ .Values.scan.plugins.trivy.fsGroup }}
runAsUser:
type: MustRunAsNonRoot
seLinuxContext:
type: RunAsAny
seccompProfiles:
- runtime/default
volumes:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
users:
- system:serviceaccount:{{ .Release.Namespace }}:zora-plugins
{{- end }}
4 changes: 2 additions & 2 deletions charts/zora/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -241,8 +241,8 @@ scan:
# -- Allow insecure server connections for Trivy
insecure: false

# -- (int) Trivy fsGroup. Should be greater than 0.
fsGroup: null
# -- Specifies the fsGroup to use when mounting the persistent volume. Should be greater than 0.
fsGroup: 3000

persistence:
# -- Specifies whether Trivy vulnerabilities database should be persisted between the scans, using PersistentVolumeClaim
Expand Down
10 changes: 9 additions & 1 deletion pkg/plugins/cronjob.go
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,7 @@ func (r *CronJobMutator) Mutate() error {
})
}

setRunAsGroup := false
if r.Plugin.Name == "trivy" {
if r.TrivyPVC != "" {
r.Existing.Spec.JobTemplate.Spec.Template.Spec.Volumes = append(r.Existing.Spec.JobTemplate.Spec.Template.Spec.Volumes, corev1.Volume{
Expand All @@ -155,8 +156,9 @@ func (r *CronJobMutator) Mutate() error {
},
})
}
if r.TrivyFSGroup != 0 {
if r.TrivyFSGroup > 0 {
r.Existing.Spec.JobTemplate.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{FSGroup: &r.TrivyFSGroup}
setRunAsGroup = true
}
}

Expand Down Expand Up @@ -204,6 +206,12 @@ func (r *CronJobMutator) Mutate() error {
r.Existing.Spec.JobTemplate.Spec.Template.Spec.Containers = containers
}

if setRunAsGroup {
for _, container := range r.Existing.Spec.JobTemplate.Spec.Template.Spec.Containers {
container.SecurityContext.RunAsGroup = &r.TrivyFSGroup
}
}

return ctrl.SetControllerReference(r.ClusterScan, r.Existing, r.Scheme)
}

Expand Down

0 comments on commit 749ea97

Please sign in to comment.