Merge pull request #123 from nre-learning/image-changes

Enhanced granularity for image privileges and versions

CHANGELOG.md

@@ -9,7 +9,7 @@
 - Limit volume mount to lesson directory [#109](https://github.com/nre-learning/syringe/pull/109)
 - Add configuration options to influxdb export [#108](https://github.com/nre-learning/syringe/pull/108)
 - Add config flag to permit egress traffic [#119](https://github.com/nre-learning/syringe/pull/119)
-- Support option to specify curriculum version [#120](https://github.com/nre-learning/syringe/pull/120)
+- Enhanced granularity for image privileges and versions [#123](https://github.com/nre-learning/syringe/pull/123)
 
 ## v0.3.2 - April 19, 2019
 

api/exp/lessons.go

@@ -208,11 +208,10 @@ func validateLesson(syringeConfig *config.SyringeConfig, lesson *pb.Lesson) erro
 			return fail
 		}
 
-		// TODO(mierdin): Enable once the NRE Labs curriculum has been adjusted
-		// if strings.Contains(ep.Image, ":") {
-		// 	log.Error("Tags are not allowed in endpoint image refs")
-		// 	return fail
-		// }
+		if strings.Contains(ep.Image, ":") {
+			log.Error("Tags are not allowed in endpoint image refs")
+			return fail
+		}
 
 		if ep.ConfigurationType == "" {
 			continue

config/config.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"os"
 	"strconv"
+	"strings"
 
 	log "github.com/sirupsen/logrus"
 )
@@ -32,6 +33,8 @@ type SyringeConfig struct {
 	CurriculumRepoRemote string
 	CurriculumRepoBranch string
 
+	PrivilegedImages []string
+
 	AllowEgress bool
 }
 
@@ -176,6 +179,25 @@ func LoadConfigVars() (*SyringeConfig, error) {
 		config.AllowEgress = true
 	}
 
+	// +syringeconfig SYRINGE_PRIVILEGED_IMAGES is a string slice that specifies which images need privileged
+	// access granted to them. This option will eventually be deprecated in favor of a more secure option, but
+	// for now, this allows us to at least be selective about what images are granted these privileges - ideally
+	// only images which only allow user access from within a VM.
+	// Images should be separated by commas, no spaces. Image tags should NOT be included.
+	privImages := os.Getenv("SYRINGE_PRIVILEGED_IMAGES")
+	if privImages == "" {
+		config.PrivilegedImages = []string{
+			"antidotelabs/container-vqfx",
+			"antidotelabs/vqfx-snap1",
+			"antidotelabs/vqfx-snap2",
+			"antidotelabs/vqfx-snap3",
+			"antidotelabs/vqfx-full",
+			"antidotelabs/cvx",
+		}
+	} else {
+		config.PrivilegedImages = strings.Split(privImages, ",")
+	}
+
 	log.Debugf("Syringe config: %s", config.JSON())
 
 	return &config, nil

config/config_test.go

@@ -67,7 +67,15 @@ func TestConfigJSON(t *testing.T) {
 		CurriculumVersion:    "latest",
 		CurriculumRepoRemote: "https://github.com/nre-learning/nrelabs-curriculum.git",
 		CurriculumRepoBranch: "master",
-		AllowEgress:          false,
+		PrivilegedImages: []string{
+			"antidotelabs/container-vqfx",
+			"antidotelabs/vqfx-snap1",
+			"antidotelabs/vqfx-snap2",
+			"antidotelabs/vqfx-snap3",
+			"antidotelabs/vqfx-full",
+			"antidotelabs/cvx",
+		},
+		AllowEgress: false,
 	}
 
 	t.Log(syringeConfig.JSON())

scheduler/pods.go

@@ -79,57 +79,38 @@ func (ls *LessonScheduler) createPod(ep *pb.Endpoint, networks []string, req *Le
 			InitContainers: initContainers,
 			Containers: []corev1.Container{
 				{
-					Name: ep.GetName(),
-					// TODO(mierdin): Switch back the below once the NRE Labs curriculum has been adjusted
-					// Image: fmt.Sprintf("%s:%s", ep.GetImage(), ls.SyringeConfig.CurriculumVersion),
-					Image: ep.GetImage(),
-					// Omitting in order to keep things speedy. For debugging, uncomment this, and the image will be pulled every time.
+					Name:            ep.GetName(),
+					Image:           fmt.Sprintf("%s:%s", ep.GetImage(), ls.SyringeConfig.CurriculumVersion),
 					ImagePullPolicy: "Always",
-
-					// ImagePullPolicy: "IfNotPresent",
-
 					Env: []corev1.EnvVar{
-
 						// Passing in full ref as an env var in case the pod needs to configure a base URL for ingress purposes.
 						{Name: "SYRINGE_FULL_REF", Value: fmt.Sprintf("%s-%s", nsName, ep.GetName())},
 					},
 
 					Ports:        []corev1.ContainerPort{}, // Will set below
 					VolumeMounts: volumeMounts,
-					SecurityContext: &corev1.SecurityContext{
-						Capabilities: &corev1.Capabilities{
-							Add: []corev1.Capability{
-								"NET_ADMIN",
-							},
-						},
-					},
 				},
 			},
 
 			Volumes: volumes,
 		},
 	}
 
-	// TODO(mierdin): Obviously, this isn't ideal. We were previously granting privileged status to
-	// all containers, so this is technically an improvement, but not much of one. Preferably very soon
-	// we should come up with a more suitable short-term solution. The correct long-term solution
-	// might be something like labtainers, or kubevirt.
-	// Privileged status is currently required by both the lite and full vqfx versions.
-	// It may also be required by other images we bring on board.
-	privilegedImages := map[string]string{
-
-		// TODO(mierdin): Fix these once the new image is available
-		// "antidotelabs/container-vqfx":     "",
-		"antidotelabs/vqfx:snap1":         "",
-		"antidotelabs/vqfx:snap2":         "",
-		"antidotelabs/vqfx:snap3":         "",
-		"antidotelabs/vqfx-full:18.1R1.9": "",
-	}
-	if _, ok := privilegedImages[ep.Image]; ok {
-		b := true
-		pod.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
-			Privileged:               &b,
-			AllowPrivilegeEscalation: &b,
+	// TODO(mierdin): See Antidote mini-project 6 (MP6) for details on how we're planning to obviate
+	// the need for privileged mode entirely. For now, this mechanism allows us to only grant this to
+	// images that contain a virtualization layer (i.e. network devices).
+	for i := range ls.SyringeConfig.PrivilegedImages {
+		if ep.Image == ls.SyringeConfig.PrivilegedImages[i] {
+			b := true
+			pod.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
+				Privileged:               &b,
+				AllowPrivilegeEscalation: &b,
+				Capabilities: &corev1.Capabilities{
+					Add: []corev1.Capability{
+						"NET_ADMIN",
+					},
+				},
+			}
 		}
 	}