make sure pomerium is running as non-root inside a container (pomeriu…

…m#268)
LuxorLabs · Jul 6, 2022 · f86eed8 · f86eed8
1 parent 150b51f
commit f86eed8
Show file tree

Hide file tree

Showing 28 changed files with 190 additions and 203 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -21,3 +21,12 @@ repos:
         args: ["lint"]
         types: ["go"]
         pass_filenames: false
+        fail_fast: true
+      - id: deployment
+        name: deployment
+        fail_fast: true
+        language: system
+        entry: make
+        args: ["deployment"]
+        types: ["yaml"]
+        pass_filenames: false
diff --git a/Dockerfile.release b/Dockerfile.release
@@ -3,4 +3,4 @@ ARG ARCH
 FROM gcr.io/distroless/base:nonroot-${TARGETARCH:-amd64}
 WORKDIR /pomerium
 COPY pomerium* /bin/
-ENTRYPOINT [ "/bin/pomerium-ingress" ]
+ENTRYPOINT [ "/bin/pomerium-ingress" ]
diff --git a/Makefile b/Makefile
@@ -212,7 +212,7 @@ dev-install:
 	@echo "==> $@"
 	@echo "deleting pods..."
 	@kubectl delete --force --selector app.kubernetes.io/name=pomerium pods || true
-	@$(KUSTOMIZE) build config/dev | kubectl apply --filename -
+	@$(KUSTOMIZE) build config/dev/local | kubectl apply --filename -
 	@stern -n pomerium --selector app.kubernetes.io/name=pomerium
 
 .PHONY: dev-gen-secrets

diff --git a/apis/ingress/v1/zz_generated.deepcopy.go b/apis/ingress/v1/zz_generated.deepcopy.go
diff --git a/cmd/all_in_one.go b/cmd/all_in_one.go
@@ -30,8 +30,10 @@ import (
 type allCmdOptions struct {
 	ingressControllerOpts
 	debug bool
-	// MetricsBindAddress must be externally accessible host:port
-	MetricsBindAddress string `validate:"required,hostname_port"`
+	// metricsBindAddress must be externally accessible host:port
+	metricsBindAddress string `validate:"required,hostname_port"`
+	serverAddr         string `validate:"required,hostname_port"`
+	httpRedirectAddr   string `validate:"required,hostname_port"`
 }
 
 type allCmdParam struct {
@@ -40,9 +42,10 @@ type allCmdParam struct {
 	updateStatusFromService string
 	dumpConfigDiff          bool
 
-	metricsBindAddress   string
+	// bootstrapMetricsAddr for bootstrap configuration controller metrics
 	bootstrapMetricsAddr string
-	ingressMetricsAddr   string
+	// ingressMetricsAddr for ingress+settings reconciliation controller metrics
+	ingressMetricsAddr string
 
 	cfg config.Config
 }
@@ -72,7 +75,10 @@ func (s *allCmd) setupFlags() error {
 	if err := flags.MarkHidden("debug"); err != nil {
 		return err
 	}
-	flags.StringVar(&s.MetricsBindAddress, metricsBindAddress, "", "host:port for aggregate metrics")
+	flags.StringVar(&s.metricsBindAddress, metricsBindAddress, "", "host:port for aggregate metrics. host is mandatory")
+	flags.StringVar(&s.serverAddr, "server-addr", ":8443", "the address the HTTPS server would bind to")
+	flags.StringVar(&s.httpRedirectAddr, "http-redirect-addr", ":8080", "the address HTTP redirect would bind to")
+
 	s.ingressControllerOpts.setupFlags(flags)
 	return viperWalk(flags)
 }
@@ -117,9 +123,8 @@ func (s *allCmdOptions) getParam() (*allCmdParam, error) {
 		ingressOpts:             opts,
 		updateStatusFromService: s.UpdateStatusFromService,
 		dumpConfigDiff:          s.debug,
-		metricsBindAddress:      s.MetricsBindAddress,
 	}
-	if err := p.makeBootstrapConfig(); err != nil {
+	if err := p.makeBootstrapConfig(*s); err != nil {
 		return nil, fmt.Errorf("bootstrap: %w", err)
 	}
 
@@ -144,9 +149,12 @@ func (s *allCmdParam) run(ctx context.Context) error {
 	return eg.Wait()
 }
 
-func (s *allCmdParam) makeBootstrapConfig() error {
+func (s *allCmdParam) makeBootstrapConfig(opt allCmdOptions) error {
 	s.cfg.Options = config.NewDefaultOptions()
 
+	s.cfg.Options.Addr = opt.serverAddr
+	s.cfg.Options.HTTPRedirectAddr = opt.httpRedirectAddr
+
 	ports, err := netutil.AllocatePorts(7)
 	if err != nil {
 		return fmt.Errorf("allocating ports: %w", err)
@@ -157,6 +165,8 @@ func (s *allCmdParam) makeBootstrapConfig() error {
 	s.bootstrapMetricsAddr = fmt.Sprintf("localhost:%s", ports[5])
 	s.ingressMetricsAddr = fmt.Sprintf("localhost:%s", ports[6])
 
+	s.cfg.Options.MetricsAddr = opt.metricsBindAddress
+
 	s.cfg.MetricsScrapeEndpoints = []config.MetricsScrapeEndpoint{
 		{
 			Name: "bootstrap",
@@ -182,8 +192,6 @@ func (s *allCmdParam) makeBootstrapConfig() error {
 		},
 	}
 
-	s.cfg.Options.MetricsAddr = ":9090"
-
 	return nil
 }
 

diff --git a/config/pomerium/deployment.yaml b/config/pomerium/deployment.yaml
diff --git a/config/pomerium/deployment/args.yaml b/config/pomerium/deployment/args.yaml
@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium
+spec:
+  template:
+    spec:
+      containers:
+        - name: pomerium
+          args:
+            - all-in-one
+            - --global-settings=$(POMERIUM_NAMESPACE)/settings
+            - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy
+            - --metrics-bind-address=$(POD_IP):9090
+          env:
+            - name: POMERIUM_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
diff --git a/config/pomerium/deployment/base.yaml b/config/pomerium/deployment/base.yaml
@@ -0,0 +1,12 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium
+spec:
+  replicas: 1
+  template:
+    spec:
+      containers:
+        - name: pomerium
+      serviceAccountName: pomerium-controller
+      terminationGracePeriodSeconds: 10
diff --git a/config/pomerium/healthcheck.yaml → config/pomerium/deployment/healthcheck.yaml b/config/pomerium/healthcheck.yaml → config/pomerium/deployment/healthcheck.yaml
diff --git a/config/pomerium/deployment/image.yaml b/config/pomerium/deployment/image.yaml
@@ -0,0 +1,12 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium
+spec:
+  replicas: 1
+  template:
+    spec:
+      containers:
+        - name: pomerium
+          image: pomerium/ingress-controller:main
+          imagePullPolicy: IfNotPresent
diff --git a/config/pomerium/deployment/kustomization.yaml b/config/pomerium/deployment/kustomization.yaml
@@ -0,0 +1,10 @@
+resources:
+  - base.yaml
+patchesStrategicMerge:
+  - args.yaml
+  - image.yaml
+  - ports.yaml
+  - resources.yaml
+  - no-root.yaml
+  - readonly-root-fs.yaml
+  #- healthchecks.yaml
diff --git a/config/pomerium/deployment/no-root.yaml b/config/pomerium/deployment/no-root.yaml
@@ -0,0 +1,16 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium
+spec:
+  template:
+    spec:
+      securityContext:
+        runAsNonRoot: true
+      containers:
+        - name: pomerium
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsGroup: 1000
+            runAsUser: 1000
diff --git a/config/pomerium/deployment/ports.yaml b/config/pomerium/deployment/ports.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium
+spec:
+  template:
+    spec:
+      containers:
+        - name: pomerium
+          ports:
+            - containerPort: 8443
+              name: https
+              protocol: TCP
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+            - name: metrics
+              containerPort: 9090
+              protocol: TCP
diff --git a/config/pomerium/deployment/readonly-root-fs.yaml b/config/pomerium/deployment/readonly-root-fs.yaml
@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium
+spec:
+  template:
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+        - name: pomerium
+          securityContext:
+            readOnlyRootFilesystem: true
+          env:
+            - name: TMPDIR
+              value: "/tmp"
+          volumeMounts:
+            - mountPath: "/tmp"
+              name: tmp
+      volumes:
+        - name: tmp
+          emptyDir: {}
diff --git a/config/pomerium/deployment/resources.yaml b/config/pomerium/deployment/resources.yaml
@@ -0,0 +1,16 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium
+spec:
+  template:
+    spec:
+      containers:
+        - name: pomerium
+          resources:
+            limits:
+              cpu: 5000m
+              memory: 1Gi
+            requests:
+              cpu: 300m
+              memory: 200Mi
diff --git a/config/pomerium/kustomization.yaml b/config/pomerium/kustomization.yaml
@@ -3,10 +3,6 @@
 #
 resources:
   - namespace.yaml
-  - deployment.yaml
-  - service_proxy.yaml
-  - service_metrics.yaml
-  - service_account.yaml
-  - role.yaml
-  - role_binding.yaml
-  - ingressclass.yaml
+  - ./ingressclass.yaml
+  - ./deployment
+  - ./service
diff --git a/config/pomerium/rbac/kustomization.yaml b/config/pomerium/rbac/kustomization.yaml
@@ -0,0 +1,4 @@
+resources:
+  - role.yaml
+  - role_binding.yaml
+  - service_account.yaml
diff --git a/config/pomerium/role.yaml → config/pomerium/rbac/role.yaml b/config/pomerium/role.yaml → config/pomerium/rbac/role.yaml
diff --git a/config/pomerium/role_binding.yaml → config/pomerium/rbac/role_binding.yaml b/config/pomerium/role_binding.yaml → config/pomerium/rbac/role_binding.yaml
diff --git a/config/pomerium/service_account.yaml → config/pomerium/rbac/service_account.yaml b/config/pomerium/service_account.yaml → config/pomerium/rbac/service_account.yaml
diff --git a/config/pomerium/service/kustomization.yaml b/config/pomerium/service/kustomization.yaml
@@ -0,0 +1,3 @@
+resources:
+  - proxy.yaml
+  - metrics.yaml
diff --git a/config/pomerium/service_metrics.yaml → config/pomerium/service/metrics.yaml b/config/pomerium/service_metrics.yaml → config/pomerium/service/metrics.yaml
diff --git a/config/pomerium/service_proxy.yaml → config/pomerium/service/proxy.yaml b/config/pomerium/service_proxy.yaml → config/pomerium/service/proxy.yaml
@@ -10,6 +10,6 @@ spec:
       protocol: TCP
       name: https
     - name: http
-      targetPort: 80
+      targetPort: http
       protocol: TCP
       port: 80