# SnykLive: KubeCon 2021 Edition - Oct 14, 2021 ## KubeCon IaC Review Office Hours: Bring your code and questions ### [YouTube Live Stream](https://youtu.be/XRSNvAM2_lY) ### Hosts: * [@bretfisher](https://twitter.com/BretFisher) * [@ericsmalling](https://twitter.com/ericsmalling) ## Agenda: 1. Introduction 2. KubeCon 2021 news 3. IaC Code reviews ### Audience participation If you have a Dockerfile, Kubernetes YAML, Helm chart, etc that you would like discussed, into the following list a brief summary of your request/question and link(s) to the public repo, gist or similar site with the content you are referring to. If your sample code is small, you may in-line it with a markdown code block as shown in the example below. **Please make sure that no credentials or other sensitive data is present in the code shared! (passwords, keys, internal host/ip info, etc)** Please prefix your name/YouTube chat username to your list item so we know who we are addressing. (unless you just want to stay anonymous, I suppose!) #### Post your code reviews / questions here: * *Example 1:* [Eric Smalling] - Deploying the following to my kind cluster shows a `CreateContainerConfigError` and describing shows `Error: container has runAsNonRoot and image has non-numeric user (nobody), cannot verify user is non-root` Why is this? The image is built from this project: https://github.com/kubernetes-up-and-running/kuard ``` yaml apiVersion: v1 kind: Pod metadata: labels: run: kuard name: kuard spec: containers: - image: gcr.io/kuar-demo/kuard-amd64:blue name: kuard securityContext: runAsNonRoot: true restartPolicy: Never ``` * *Example 2:* [Eric Smalling] - My company containerized a JEE app a while ago, how does this Dockerfile look to you? https://github.com/ericsmalling/java-goof/blob/master/Dockerfile *Add your questions below* * Nick R - Here is a basic DockerFile we use. Give me what we are doing wrong. ``` docker # base image FROM node:lts # Install nginx to serve the content RUN apt-get update && \ apt-get -y install nginx \ && apt-get -y install libglu1 # set working directory RUN mkdir /app WORKDIR /app # add `/usr/src/app/node_modules/.bin` to $PATH ENV PATH /app/node_modules/.bin:$PATH ARG DEPLOY_ENV # install and cache app dependencies COPY web/.npmrc /app/.npmrc COPY web/package.json /app/package.json COPY web/package-lock.json /app/package-lock.json COPY start.sh /app/start.sh RUN npm ci COPY web/ /app # copy files for nginx COPY deployments/nginx/nginx.conf /app/nginx/nginx.conf COPY deployments/nginx/mime.types /app/nginx/mime.types # copy cert files RUN mkdir /app/certs COPY deployments/nginx/dev.net.crt /app/certs/cert.crt COPY deployments/nginx/dev.net.rsa /app/certs/cert.rsa # start app EXPOSE 80 443 CMD ["/bin/bash", "start.sh"] ``` * Here is Bret's refactor of that file ```dockerfile # base image, make sure it's pinned to a specific version FROM node:14.15.0 as node # DON'T install nginx. Instead, copy these files to a new nginx stage later RUN apt-get update \ && apt-get install -y --no-install-recommends \ # TODO: add version for libglu1 libglu1 \ # cleanup && rm -rf /var/lib/apt/lists/* # set working directory WORKDIR /app # add `/usr/src/app/node_modules/.bin` to $PATH ENV PATH /app/node_modules/.bin:$PATH # FIXME: don't hardcode environments in the image. # Each environment setting should be set at runtime # ARG DEPLOY_ENV # install and cache app dependencies COPY web/.npmrc /app/.npmrc COPY web/package*.json /app/ # we likely don't need a startup script, and CMD shouldn't use a script IMO # Scipts are likely not to handle kernel signals well # If you need a ENTRYPOINT script, then that's different # COPY start.sh /app/start.sh RUN npm ci COPY web/ /app # TODO build static stuff here, before we copy output to nginx FROM nginx:1.21.3 as nginx # copy files for nginx COPY deployments/nginx/nginx.conf /app/nginx/nginx.conf COPY deployments/nginx/mime.types /app/nginx/mime.types # COPY in source code from previous stage COPY --from=node /app/ /app/ # TODO: make a different image for proxy and tls like traefik or nginx # don't combine web server with proxy config in distributed computing # ideally you want to control and scale your backend, frontend, and proxy separately # nginx config already EXPOSES 80 I think, so no need to repeat this # EXPOSE 80 443 ``` ### Show Notes: ### Links: #### Favorite KubeCon Sessions **Day 1:** * **Back to the Drawing Board: Building Containers with SBoMs** - Nisha Kumar, VMware * **Kubernetes Supply Chain Security: The Software Factory** - Andrew Martin, Control Plane * **sigstore: How We Started, Where We Are, Where We are Headed** - Bob Callaway, Red Hat & Dan Lorenc, Google * **Kubernetes Exposed! Seven of Nine Hidden Secrets That Will Give You Pause** - Ian Coldwater, Twilio & Brad Geesaman, Aqua Security * **Exploiting a Slightly Peculiar Volume Configuration with SIG-Honk** - Ian Coldwater, Twilio; Brad Geesaman & Rory McCune, Aqua Security; Duffie Cooley, * **My Container Image has 500 Vulnerabilities, Now What?** - Matt Jarvis, Snyk #### Useful IaC links #### Comments from the show