Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tighten up the permissions over Authorino files within the container #391

Merged
merged 2 commits into from
Jun 9, 2023
Merged

Tighten up the permissions over Authorino files within the container #391

merged 2 commits into from
Jun 9, 2023

Conversation

guicassolato
Copy link
Collaborator

@guicassolato guicassolato commented May 10, 2023
edited
Loading

Adds new dedicated home path in the FS within the container for the binary and any other future Authorino files. The directory is owned by a new authorino Linux user and root Linux group.

This allows running Authorino on OpenShift with the default unprivileged user on standard restricted security context strategy, without the files having to be owned by root. As for other environments, users can choose to run the container as root or as the less privileged authorino user.

Implements OPTION 4 proposed for kuadrant/limitador in Kuadrant/limitador#175 (comment).

@guicassolato
Tighten up the permissions over Authorino files within the container
2159037 
- New `authorino` Linux user and `authorino` Linux group defined to own the binary
- New dedicated home path within the FS for the binary and any other future Authorino files
- Granted `r-x` permission over the home path to members of the `authorino` group - compatibility with OpenShift SCC constraints
@guicassolato guicassolato self-assigned this May 10, 2023
@guicassolato guicassolato requested a review from a team May 10, 2023 13:51
guicassolato added a commit to Kuadrant/authorino-operator that referenced this pull request May 10, 2023
@guicassolato
Set SCC supplemental group 1000 in the authorino deployment
9a781cb 
Related to Kuadrant/authorino#391
guicassolato added a commit to Kuadrant/authorino-operator that referenced this pull request May 10, 2023
@guicassolato
Set SCC supplemental group 1000 in the authorino deployment
aa57fa5 
Related to Kuadrant/authorino#391
@guicassolato guicassolato mentioned this pull request May 10, 2023
Closed
@guicassolato guicassolato merged commit bf9ab27 into main Jun 9, 2023
@guicassolato guicassolato deleted the container-user branch June 9, 2023 08:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eguzki eguzki eguzki approved these changes

Assignees

@guicassolato guicassolato

Labels
kind/enhancement New feature or request size/small
Projects
No open projects
Kuadrant Service Protection
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@guicassolato @eguzki