From 1d9ef22eb37cf2066f2308f4ad57ed5b81860616 Mon Sep 17 00:00:00 2001
From: Chmouel Boudjnah <chmouel@redhat.com>
Date: Thu, 11 Apr 2019 16:35:07 +0200
Subject: [PATCH] Remove admin privileges

* Remove admin priviliged rights: `anyuid` and `cluster-admin`.

* Add uidwrapper to set a fixed username

  By default openshift runs as random user which get git < 2.0 confused and fail
  its operations. Use a wrapper around some containers (git-init/creds-init) to
  set a fixed uid.

https://docs.okd.io/latest/creating_images/guidelines.html#openshift-specific-guidelines

* Use some trickery for envsubst

    Envsubst is a stuborn whiny child who wants to subst our variables even tho
    we don't want to modify those.

    Since there is no way to exclude some variables, we have our beautiful
    DOLLAR string replacing the dollar and we sed 's//' it after that envsubst
    have done its dirty work.

Signed-off-by: Chmouel Boudjnah <chmouel@redhat.com>
---
 Makefile                                           |  7 ++++++-
 openshift/ci-operator/Dockerfile-git.in            | 14 +++++++++++++-
 openshift/ci-operator/generate-dockerfiles.sh      |  2 +-
 .../knative-images/creds-init/Dockerfile           | 14 +++++++++++++-
 .../ci-operator/knative-images/git-init/Dockerfile | 14 +++++++++++++-
 openshift/ci-operator/uidwrapper                   |  8 ++++++++
 openshift/e2e-tests-openshift.sh                   |  4 ----
 7 files changed, 54 insertions(+), 9 deletions(-)
 create mode 100755 openshift/ci-operator/uidwrapper

diff --git a/Makefile b/Makefile
index 4d379726837..fdb3c660650 100644
--- a/Makefile
+++ b/Makefile
@@ -6,7 +6,7 @@ CORE_IMAGES=./cmd/bash ./cmd/controller ./cmd/entrypoint ./cmd/gsutil ./cmd/kube
 CORE_IMAGES_WITH_GIT=./cmd/creds-init ./cmd/git-init
 
 # Install core images
-install:
+install: installuidwrapper
 	go install $(CORE_IMAGES) $(CORE_IMAGES_WITH_GIT)
 .PHONY: install
 
@@ -20,3 +20,8 @@ generate-dockerfiles:
 	./openshift/ci-operator/generate-dockerfiles.sh openshift/ci-operator/Dockerfile.in openshift/ci-operator/knative-images $(CORE_IMAGES)
 	./openshift/ci-operator/generate-dockerfiles.sh openshift/ci-operator/Dockerfile-git.in openshift/ci-operator/knative-images $(CORE_IMAGES_WITH_GIT)
 .PHONY: generate-dockerfiles
+
+# NOTE(chmou): Install uidwraper for launching some binaries with fixed uid
+UIDWRAPPER_PATH=./openshift/ci-operator/uidwrapper
+installuidwrapper: $(UIDWRAPPER_PATH)
+	install -m755 $(UIDWRAPPER_PATH) $(GOPATH)/bin/
diff --git a/openshift/ci-operator/Dockerfile-git.in b/openshift/ci-operator/Dockerfile-git.in
index 34b9452f12a..df12a5de403 100644
--- a/openshift/ci-operator/Dockerfile-git.in
+++ b/openshift/ci-operator/Dockerfile-git.in
@@ -1,7 +1,19 @@
 # Do not edit! This file was generated via Makefile
 FROM registry.svc.ci.openshift.org/openshift/origin-v4.0:base
 
+# NOTE(chmou): We use dollar here so that envsubst don't get confused and expand
+# our local PATH.
+ENV HOME=/ko-app PATH=DOLLAR{HOME}:DOLLAR{PATH}
 RUN yum install -y git openssh-client
 
-ADD ${bin} /ko-app/${bin}
+COPY ${bin} DOLLAR{HOME}/${bin}.orig
+COPY uidwrapper DOLLAR{HOME}/${bin}
+
+RUN chgrp -R 0 DOLLAR{HOME} && \
+    chmod -R g=u DOLLAR{HOME} /etc/passwd
+
 ENTRYPOINT ["/ko-app/${bin}"]
+
+# Local Variables:
+# mode: dockerfile
+# End:
diff --git a/openshift/ci-operator/generate-dockerfiles.sh b/openshift/ci-operator/generate-dockerfiles.sh
index 8f2fbf22ccf..011f03b47ef 100755
--- a/openshift/ci-operator/generate-dockerfiles.sh
+++ b/openshift/ci-operator/generate-dockerfiles.sh
@@ -8,7 +8,7 @@ function generate_dockefiles() {
   for img in $@; do
     local image_base=$(basename $img)
     mkdir -p $target_dir/$image_base
-    bin=$image_base envsubst < $dockerfile_in > $target_dir/$image_base/Dockerfile
+    bin=$image_base envsubst < $dockerfile_in | sed 's/DOLLAR/$/g'  > $target_dir/$image_base/Dockerfile
   done
 }
 
diff --git a/openshift/ci-operator/knative-images/creds-init/Dockerfile b/openshift/ci-operator/knative-images/creds-init/Dockerfile
index af6189d08ea..8732a3ad273 100644
--- a/openshift/ci-operator/knative-images/creds-init/Dockerfile
+++ b/openshift/ci-operator/knative-images/creds-init/Dockerfile
@@ -1,7 +1,19 @@
 # Do not edit! This file was generated via Makefile
 FROM registry.svc.ci.openshift.org/openshift/origin-v4.0:base
 
+# NOTE(chmou): We use dollar here so that envsubst don't get confused and expand
+# our local PATH.
+ENV HOME=/ko-app PATH=${HOME}:${PATH}
 RUN yum install -y git openssh-client
 
-ADD creds-init /ko-app/creds-init
+COPY creds-init ${HOME}/creds-init.orig
+COPY uidwrapper ${HOME}/creds-init
+
+RUN chgrp -R 0 ${HOME} && \
+    chmod -R g=u ${HOME} /etc/passwd
+
 ENTRYPOINT ["/ko-app/creds-init"]
+
+# Local Variables:
+# mode: dockerfile
+# End:
diff --git a/openshift/ci-operator/knative-images/git-init/Dockerfile b/openshift/ci-operator/knative-images/git-init/Dockerfile
index 975668cb99a..06fb59a3941 100644
--- a/openshift/ci-operator/knative-images/git-init/Dockerfile
+++ b/openshift/ci-operator/knative-images/git-init/Dockerfile
@@ -1,7 +1,19 @@
 # Do not edit! This file was generated via Makefile
 FROM registry.svc.ci.openshift.org/openshift/origin-v4.0:base
 
+# NOTE(chmou): We use dollar here so that envsubst don't get confused and expand
+# our local PATH.
+ENV HOME=/ko-app PATH=${HOME}:${PATH}
 RUN yum install -y git openssh-client
 
-ADD git-init /ko-app/git-init
+COPY git-init ${HOME}/git-init.orig
+COPY uidwrapper ${HOME}/git-init
+
+RUN chgrp -R 0 ${HOME} && \
+    chmod -R g=u ${HOME} /etc/passwd
+
 ENTRYPOINT ["/ko-app/git-init"]
+
+# Local Variables:
+# mode: dockerfile
+# End:
diff --git a/openshift/ci-operator/uidwrapper b/openshift/ci-operator/uidwrapper
new file mode 100755
index 00000000000..20b74123ff2
--- /dev/null
+++ b/openshift/ci-operator/uidwrapper
@@ -0,0 +1,8 @@
+#!/bin/sh
+if ! whoami &> /dev/null; then
+  if [ -w /etc/passwd ]; then
+    echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
+  fi
+fi
+
+exec ${0}.orig $@
diff --git a/openshift/e2e-tests-openshift.sh b/openshift/e2e-tests-openshift.sh
index c5d50eb6ab1..93bab166edf 100755
--- a/openshift/e2e-tests-openshift.sh
+++ b/openshift/e2e-tests-openshift.sh
@@ -17,10 +17,6 @@ env
 function install_tekton_pipeline() {
   header "Installing Tekton Pipeline"
 
-  # Grant the necessary privileges to the service accounts Knative will use:
-  oc adm policy add-scc-to-user anyuid -z tekton-pipelines-controller -n $TEKTON_PIPELINE_NAMESPACE
-  oc adm policy add-cluster-role-to-user cluster-admin -z tekton-pipelines-controller -n $TEKTON_PIPELINE_NAMESPACE
-
   create_pipeline
 
   wait_until_pods_running $TEKTON_PIPELINE_NAMESPACE || return 1