Explicitly reduce user to the same as defined in the container

[RichardoC]

What this PR does / why we need it: This reduces the pod user permissions to the same defined in Dockerfile:23 This makes it easier for administrators and security tooling to tell this workload is running as non-root

[k8s-ci-robot]

Welcome @RichardoC!

It looks like this is your first PR to kubernetes-sigs/aws-iam-authenticator 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/aws-iam-authenticator has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. :smiley:

[k8s-ci-robot]

Hi @RichardoC. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: RichardoC Once this PR has been reviewed and has the lgtm label, please assign jyotimahapatra for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

[RichardoC]

Looks like https://github.com/kubernetes/community/blob/master/contributors/guide/pull-requests.md#run-local-verifications needs updating

$ make test-integration
++ cat version.txt
+ VERSION=dev
+ [[ ! dev =~ ^([0-9]+[.][0-9]+)[.]([0-9]+)(-(alpha|beta)[.]([0-9]+))?$ ]]
+ printerr 'Version dev must be '\''X.Y.Z'\'', '\''X.Y.Z-alpha.N'\'', or '\''X.Y.Z-beta.N'\'''
+ echo 'Version dev must be '\''X.Y.Z'\'', '\''X.Y.Z-alpha.N'\'', or '\''X.Y.Z-beta.N'\'''
Version dev must be 'X.Y.Z', 'X.Y.Z-alpha.N', or 'X.Y.Z-beta.N'
+ exit 1
++ cat version.txt
+ VERSION=dev
+ [[ ! dev =~ ^([0-9]+[.][0-9]+)[.]([0-9]+)(-(alpha|beta)[.]([0-9]+))?$ ]]
+ printerr 'Version dev must be '\''X.Y.Z'\'', '\''X.Y.Z-alpha.N'\'', or '\''X.Y.Z-beta.N'\'''
+ echo 'Version dev must be '\''X.Y.Z'\'', '\''X.Y.Z-alpha.N'\'', or '\''X.Y.Z-beta.N'\'''
Version dev must be 'X.Y.Z', 'X.Y.Z-alpha.N', or 'X.Y.Z-beta.N'
+ exit 1
make: *** No rule to make target 'test-integration'.  Stop.
$ make verify
++ cat version.txt
+ VERSION=dev
+ [[ ! dev =~ ^([0-9]+[.][0-9]+)[.]([0-9]+)(-(alpha|beta)[.]([0-9]+))?$ ]]
+ printerr 'Version dev must be '\''X.Y.Z'\'', '\''X.Y.Z-alpha.N'\'', or '\''X.Y.Z-beta.N'\'''
+ echo 'Version dev must be '\''X.Y.Z'\'', '\''X.Y.Z-alpha.N'\'', or '\''X.Y.Z-beta.N'\'''
Version dev must be 'X.Y.Z', 'X.Y.Z-alpha.N', or 'X.Y.Z-beta.N'
+ exit 1
++ cat version.txt
+ VERSION=dev
+ [[ ! dev =~ ^([0-9]+[.][0-9]+)[.]([0-9]+)(-(alpha|beta)[.]([0-9]+))?$ ]]
+ printerr 'Version dev must be '\''X.Y.Z'\'', '\''X.Y.Z-alpha.N'\'', or '\''X.Y.Z-beta.N'\'''
+ echo 'Version dev must be '\''X.Y.Z'\'', '\''X.Y.Z-alpha.N'\'', or '\''X.Y.Z-beta.N'\'''
Version dev must be 'X.Y.Z', 'X.Y.Z-alpha.N', or 'X.Y.Z-beta.N'
+ exit 1
make: *** No rule to make target 'verify'.  Stop.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[RichardoC]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[RichardoC]

/remove-lifecycle stale

[micahhausler]

Hey sorry for the late review, I see a RUN chown 65532 _output/bin/aws-iam-authenticator in the Dockerfile, but no USER directive. Also when using --generate-kubeconfig the containerized server needs to write a kubeconfig formatted file for the API to consume. Unless that host directory is mounted as writable by 65532, this would break that functionality right?

[RichardoC]

Hey sorry for the late review, I see a RUN chown 65532 _output/bin/aws-iam-authenticator in the Dockerfile, but no USER directive. Also when using --generate-kubeconfig the containerized server needs to write a kubeconfig formatted file for the API to consume. Unless that host directory is mounted as writable by 65532, this would break that functionality right?

You're right, I'd thought https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/2596d17f99149e9ce518e8bc4447e404aa655a57/Dockerfile#L26C59-L26C79 was a container running as 65532 with that user directive but based on https://github.com/kubernetes/kubernetes/blob/1c93be24ee8a607f6add6bb1869d5d2006ffa783/build/go-runner/Dockerfile it isn't.

I can add the USER directive, but you're right about that host volume needing to be mounted as the correct group. We could default to the current group, and update the docs that this folder needs to be owned by that gid, or the manifest updated?

[micahhausler]

I can add the USER directive, but you're right about that host volume needing to be mounted as the correct group. We could default to the current group, and update the docs that this folder needs to be owned by that gid, or the manifest updated?

Altering the USER would be a breaking change to the resulting image and anyone deploying from it. Given that .spec.securityContext.runAsNonRoot and .spec.securityContext.runAsUser can be used to override the USER value, its probably not needed for most use cases.

Given that the file here is just an example (deploy/example.yaml) is this change necessary? If we had a helm chart, I could see the need to set or configure these values.