Trustee containers as non-privileged

lmilleri · lmilleri · commit 11025e3e7fcc · 2024-05-21T11:57:38.000+01:00
Signed-off-by: Leonardo Milleri &lt;lmilleri@redhat.com&gt;
diff --git a/config/samples/all-in-one/kbs-config.yaml b/config/samples/all-in-one/kbs-config.yaml
@@ -31,6 +31,6 @@ data:
           }
         },
         "policy_engine_config": {
-          "policy_path": "/opa/confidential-containers/kbs/policy.rego"
+          "policy_path": "/opt/confidential-containers/opa/policy.rego"
         }
     }
diff --git a/config/samples/microservices/kbs-config.yaml b/config/samples/microservices/kbs-config.yaml
@@ -20,5 +20,8 @@ data:
         "repository_config": {
           "type": "LocalFs",
           "dir_path": "/opt/confidential-containers/kbs/repository"
+        },
+        "policy_engine_config": {
+          "policy_path": "/opt/confidential-containers/opa/policy.rego"
         }
     }
diff --git a/internal/controller/kbsconfig_controller.go b/internal/controller/kbsconfig_controller.go
@@ -330,20 +330,37 @@ func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) *appsv1.Depl
 		kbsDeploymentType = confidentialcontainersorgv1alpha1.DeploymentTypeMicroservices
 	}
 
-	// RunAsUser (root) 0
-	runAsUser := int64(0)
-
 	var volumes []corev1.Volume
 	var kbsVM []corev1.VolumeMount
 	var asVM []corev1.VolumeMount
 	var rvpsVM []corev1.VolumeMount
 
+	// The paths /opt/confidential-container and /opt/confidential-container/kbs/repository/default
+	// are mounted as a RW volume in memory to allow trustee components
+	// to have full access to the filesystem
+	// confidential-containers
+	volume, err := r.createConfidentialContainersVolume(confidentialContainers)
+	if err != nil {
+		return nil
+	}
+	volumes = append(volumes, *volume)
+	volumeMount := createVolumeMount(volume.Name, filepath.Join(rootPath, volume.Name))
+	kbsVM = append(kbsVM, volumeMount)
+	// default repo
+	volume, err = r.createDefaultRepositoryVolume(defaultRepository)
+	if err != nil {
+		return nil
+	}
+	volumes = append(volumes, *volume)
+	volumeMount = createVolumeMount(volume.Name, filepath.Join(repositoryPath, volume.Name))
+	kbsVM = append(kbsVM, volumeMount)
+
 	// kbs-config
-	volume, err := r.createKbsConfigMapVolume(ctx, "kbs-config")
+	volume, err = r.createKbsConfigMapVolume(ctx, "kbs-config")
 	if err != nil {
 		return nil
 	}
-	volumeMount := createVolumeMount(volume.Name, filepath.Join(kbsDefaultConfigPath, volume.Name))
+	volumeMount = createVolumeMount(volume.Name, filepath.Join(kbsDefaultConfigPath, volume.Name))
 	volumes = append(volumes, *volume)
 	kbsVM = append(kbsVM, volumeMount)
 
@@ -424,13 +441,13 @@ func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) *appsv1.Depl
 		rvpsVM = append(rvpsVM, volumeMount)
 	}
 
-	containers := []corev1.Container{r.buildKbsContainer(kbsVM, runAsUser)}
+	containers := []corev1.Container{r.buildKbsContainer(kbsVM)}
 
 	if kbsDeploymentType == confidentialcontainersorgv1alpha1.DeploymentTypeMicroservices {
 		// build AS container
-		containers = append(containers, r.buildAsContainer(asVM, runAsUser))
+		containers = append(containers, r.buildAsContainer(asVM))
 		// build RVPS container
-		containers = append(containers, r.buildRvpsContainer(rvpsVM, runAsUser))
+		containers = append(containers, r.buildRvpsContainer(rvpsVM))
 	}
 
 	// Create the deployment
@@ -464,7 +481,7 @@ func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) *appsv1.Depl
 	return deployment
 }
 
-func (r *KbsConfigReconciler) buildAsContainer(volumeMounts []corev1.VolumeMount, runAsUser int64) corev1.Container {
+func (r *KbsConfigReconciler) buildAsContainer(volumeMounts []corev1.VolumeMount) corev1.Container {
 	asImageName := os.Getenv("AS_IMAGE_NAME")
 	if asImageName == "" {
 		asImageName = DefaultAsImageName
@@ -490,16 +507,12 @@ func (r *KbsConfigReconciler) buildAsContainer(volumeMounts []corev1.VolumeMount
 		},
 		// Add command to start AS
 		Command: asCommand,
-		// Add SecurityContext
-		SecurityContext: &corev1.SecurityContext{
-			RunAsUser: &runAsUser,
-		},
 		// Add volume mount for config
 		VolumeMounts: volumeMounts,
 	}
 }
 
-func (r *KbsConfigReconciler) buildRvpsContainer(volumeMounts []corev1.VolumeMount, runAsUser int64) corev1.Container {
+func (r *KbsConfigReconciler) buildRvpsContainer(volumeMounts []corev1.VolumeMount) corev1.Container {
 	rvpsImageName := os.Getenv("RVPS_IMAGE_NAME")
 	if rvpsImageName == "" {
 		rvpsImageName = DefaultRvpsImageName
@@ -523,16 +536,12 @@ func (r *KbsConfigReconciler) buildRvpsContainer(volumeMounts []corev1.VolumeMou
 		},
 		// Add command to start RVPS
 		Command: rvpsCommand,
-		// Add SecurityContext
-		SecurityContext: &corev1.SecurityContext{
-			RunAsUser: &runAsUser,
-		},
 		// Add volume mount for config
 		VolumeMounts: volumeMounts,
 	}
 }
 
-func (r *KbsConfigReconciler) buildKbsContainer(volumeMounts []corev1.VolumeMount, runAsUser int64) corev1.Container {
+func (r *KbsConfigReconciler) buildKbsContainer(volumeMounts []corev1.VolumeMount) corev1.Container {
 	// Get Image Name from env variable if set
 	imageName := os.Getenv("KBS_IMAGE_NAME")
 	if imageName == "" {
@@ -557,10 +566,6 @@ func (r *KbsConfigReconciler) buildKbsContainer(volumeMounts []corev1.VolumeMoun
 		},
 		// Add command to start KBS
 		Command: command,
-		// Add SecurityContext
-		SecurityContext: &corev1.SecurityContext{
-			RunAsUser: &runAsUser,
-		},
 		// Add volume mount for KBS config
 		VolumeMounts: volumeMounts,
 		/* TODO commented out because not configurable yet
diff --git a/internal/controller/volumes.go b/internal/controller/volumes.go
@@ -25,6 +25,30 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+func (r *KbsConfigReconciler) createConfidentialContainersVolume(volumeName string) (*corev1.Volume, error) {
+	volume := corev1.Volume{
+		Name: volumeName,
+		VolumeSource: corev1.VolumeSource{
+			EmptyDir: &corev1.EmptyDirVolumeSource{
+				Medium: corev1.StorageMediumMemory,
+			},
+		},
+	}
+	return &volume, nil
+}
+
+func (r *KbsConfigReconciler) createDefaultRepositoryVolume(volumeName string) (*corev1.Volume, error) {
+	volume := corev1.Volume{
+		Name: volumeName,
+		VolumeSource: corev1.VolumeSource{
+			EmptyDir: &corev1.EmptyDirVolumeSource{
+				Medium: corev1.StorageMediumMemory,
+			},
+		},
+	}
+	return &volume, nil
+}
+
 func (r *KbsConfigReconciler) createKbsConfigMapVolume(ctx context.Context, volumeName string) (*corev1.Volume, error) {
 	if r.kbsConfig.Spec.KbsConfigMapName != "" {
 		foundConfigMap := &corev1.ConfigMap{}

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,6 @@ data:`
`31`	`31`	`}`
`32`	`32`	`},`
`33`	`33`	`"policy_engine_config": {`
`34`		`- "policy_path": "/opa/confidential-containers/kbs/policy.rego"`
	`34`	`+ "policy_path": "/opt/confidential-containers/opa/policy.rego"`
`35`	`35`	`}`
`36`	`36`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,5 +20,8 @@ data:`
`20`	`20`	`"repository_config": {`
`21`	`21`	`"type": "LocalFs",`
`22`	`22`	`"dir_path": "/opt/confidential-containers/kbs/repository"`
	`23`	`+ },`
	`24`	`+ "policy_engine_config": {`
	`25`	`+ "policy_path": "/opt/confidential-containers/opa/policy.rego"`
`23`	`26`	`}`
`24`	`27`	`}`