fix: update kube security config (#5573)

Author: stuartwdouglas

Dockerfile

@@ -41,5 +41,7 @@ ENV FTL_CONTROLLER_CONSOLE_URL="*"
 # Provisioner-specific configurations
 ENV FTL_PROVISIONER_PLUGIN_CONFIG_FILE="/home/ubuntu/ftl-provisioner-config.toml"
 
+USER 1000:1000
+
 # Default command
 CMD ["/home/ubuntu/svc"]

Dockerfile.runner-jvm

@@ -12,8 +12,12 @@ RUN mvn -B --version
 # Finally create the runtime image.
 FROM ftl0/ftl-runner:latest
 
-WORKDIR /root/
+WORKDIR /jdk/
+USER root:root
 
-ENV PATH="/root/jdk/bin:$PATH"
-ENV JAVA_HOME="/root/jdk"
-COPY --from=builder /hermit/pkg/openjdk-21.0.3_9/ /root/jdk/
+ENV PATH="/jdk/bin:$PATH"
+ENV JAVA_HOME="/jdk"
+COPY --from=builder /hermit/pkg/openjdk-21.0.3_9/ /jdk/
+RUN chown -R 1000:1000 /jdk
+
+USER 1000:1000

backend/runner/runner.go

@@ -424,6 +424,7 @@ func (s *Service) deploy(ctx context.Context, key key.Deployment, module *schema
 			"./launch",
 			ftlv1connect.NewVerbServiceClient,
 			true,
+			plugin.WithNoWorkingDir(),
 			plugin.WithEnvars(
 				envVars...,
 			),

charts/ftl/templates/_helpers.tpl

@@ -131,8 +131,6 @@ securityContext:
           - "ALL"
   seccompProfile:
     type: RuntimeDefault
-  runAsUser: 1000
-  runAsGroup: 1000
 {{- end -}}
 {{- define "ftl.resources" -}}
 resources:

charts/ftl/templates/runner.yaml

@@ -106,12 +106,17 @@ data:
                   containerPort: {{ .Values.runner.port }}
                   protocol: "TCP"
               {{- include "ftl.healthProbes" .Values.timeline | nindent 14 }}
+              {{- include "ftl.securityContext" .Values.cron | nindent 14 }}
               volumeMounts:
                 - mountPath: /home/ubuntu/.cache
                   name: cache
+                - mountPath: /tmp
+                  name: tmp
           volumes:
             - name: cache
               emptyDir: {}
+            - name: tmp
+              emptyDir: {}
       {{- include "ftl.commonPodConfig" .Values.runner | nindent 10 }}
   serviceAccountTemplate: |-
     apiVersion: v1

common/plugin/spawn.go

@@ -30,6 +30,7 @@ type pluginOptions struct {
 	envars            []string
 	additionalClients []func(baseURL string, opts ...connect.ClientOption)
 	startTimeout      time.Duration
+	noWorkingDir      bool
 }
 
 // Option used when creating a plugin.
@@ -51,6 +52,13 @@ func WithStartTimeout(timeout time.Duration) Option {
 	}
 }
 
+func WithNoWorkingDir() Option {
+	return func(po *pluginOptions) error {
+		po.noWorkingDir = true
+		return nil
+	}
+}
+
 // WithExtraClient connects to an additional gRPC service in the same plugin.
 //
 // The client instance is written to "out".
@@ -101,16 +109,18 @@ func Spawn[Client rpc.Pingable[Req, Resp, RespPtr], Req any, Resp any, RespPtr r
 		}
 	}
 	workingDir := filepath.Join(dir, ".ftl")
-	err = os.Mkdir(workingDir, 0700)
-	if err != nil && !errors.Is(err, os.ErrExist) {
-		return nil, nil, errors.WithStack(err)
-	}
-
-	// Clean up previous process.
 	pidFile := filepath.Join(workingDir, filepath.Base(exe)+".pid")
-	err = cleanup(logger, pidFile)
-	if err != nil {
-		return nil, nil, errors.WithStack(err)
+	if !opts.noWorkingDir {
+		err = os.Mkdir(workingDir, 0700)
+		if err != nil && !errors.Is(err, os.ErrExist) {
+			return nil, nil, errors.WithStack(err)
+		}
+
+		// Clean up previous process.
+		err = cleanup(logger, pidFile)
+		if err != nil {
+			return nil, nil, errors.WithStack(err)
+		}
 	}
 
 	// Find a free port.
@@ -176,10 +186,12 @@ func Spawn[Client rpc.Pingable[Req, Resp, RespPtr], Req any, Resp any, RespPtr r
 		}
 	}()
 
-	// Write the PID file.
-	err = os.WriteFile(pidFile, []byte(strconv.Itoa(cmd.Process.Pid)), 0600)
-	if err != nil {
-		return nil, nil, errors.WithStack(err)
+	if !opts.noWorkingDir {
+		// Write the PID file.
+		err = os.WriteFile(pidFile, []byte(strconv.Itoa(cmd.Process.Pid)), 0600)
+		if err != nil {
+			return nil, nil, errors.WithStack(err)
+		}
 	}
 
 	// Wait for the plugin to start.

internal/artefacts/oci_registry.go

@@ -386,7 +386,7 @@ func (s *OCIArtefactService) DownloadArtifacts(ctx context.Context, dest string,
 		}
 		var mode os.FileMode = 0600
 		if artefact.Executable {
-			mode = 0700
+			mode = 0755
 		}
 		w, err := os.OpenFile(filepath.Join(dest, artefact.Path), os.O_CREATE|os.O_WRONLY, mode)
 		if err != nil {
@@ -553,7 +553,6 @@ func createLayer(path string, artifacts []*schema.MetadataArtefact) (v1.Layer, e
 	if err := tw.Close(); err != nil {
 		return nil, errors.Wrapf(err, "failed to create layer")
 	}
-
 	// TODO: use a file
 	return tarball.LayerFromReader(&buf) //nolint
 }
@@ -576,15 +575,17 @@ func addFileToTar(tw *tar.Writer, basepath string, path string, execuable bool)
 
 	mode := int64(0644)
 	if execuable {
-		mode = 755
+		mode = 0755
 	}
 
 	// TODO: hard coded deployments path
 	hdr := &tar.Header{
-		Name:    "/deployments/" + path,
+		Name:    "deployments/" + path,
 		Mode:    mode,
 		Size:    stat.Size(),
 		ModTime: time.Now(),
+		Uid:     1000,
+		Gid:     1000,
 	}
 
 	if err := tw.WriteHeader(hdr); err != nil {