feat: run workload and charm as unprivileged user (#522)

Signed-off-by: Dario Faccin <[email protected]>

Author: dariofaccin

charms/jupyter-controller/metadata.yaml

@@ -8,6 +8,8 @@ issues: https://github.com/canonical/notebook-operators/issues
 containers:
   jupyter-controller:
     resource: oci-image
+    uid: 584792
+    gid: 584792
 resources:
   oci-image:
     type: oci-image
@@ -23,3 +25,4 @@ requires:
   logging:
     interface: loki_push_api
     optional: true
+charm-user: non-root

charms/jupyter-controller/poetry.lock

@@ -46,7 +46,7 @@ package-mode = false
 optional = true
 
 [tool.poetry.group.charm.dependencies]
-charmed-kubeflow-chisme = ">=0.4.11"
+charmed-kubeflow-chisme = ">=0.4.14"
 cosl = "^0.0.50"
 lightkube = "^0.15.6"
 ops = "^2.17.1"
@@ -86,7 +86,7 @@ optional = true
 
 [tool.poetry.group.integration.dependencies]
 juju = "<4.0"
-charmed-kubeflow-chisme = ">=0.4.11"
+charmed-kubeflow-chisme = ">=0.4.14"
 httpx = "^0.27.2"
 lightkube = "^0.15.6"
 pytest = "^8.3.4"

charms/jupyter-controller/pyproject.toml

@@ -14,8 +14,11 @@
     assert_alert_rules,
     assert_logging,
     assert_metrics_endpoint,
+    assert_security_context,
     deploy_and_assert_grafana_agent,
+    generate_container_securitycontext_map,
     get_alert_rules,
+    get_pod_names,
 )
 from charms_dependencies import ISTIO_GATEWAY, ISTIO_PILOT, JUPYTER_UI
 from httpx import HTTPStatusError
@@ -29,9 +32,17 @@
 
 METADATA = yaml.safe_load(Path("./metadata.yaml").read_text())
 APP_NAME = METADATA["name"]
+CONTAINERS_SECURITY_CONTEXT_MAP = generate_container_securitycontext_map(METADATA)
 ISTIO_GATEWAY_APP_NAME = "istio-ingressgateway"
 
 
+@pytest.fixture(scope="session")
+def lightkube_client() -> Client:
+    """Returns lightkube Kubernetes client"""
+    client = Client(field_manager=f"{APP_NAME}")
+    return client
+
+
 @pytest.mark.abort_on_fail
 async def test_build_and_deploy(ops_test: OpsTest, request):
     """Test build and deploy."""
@@ -142,9 +153,8 @@ def assert_replicas(client, resource_class, resource_name, namespace):
     assert replicas == 1, f"Waited too long for {resource_class_kind}/{resource_name}!"
 
 
-async def test_create_notebook(ops_test: OpsTest):
+async def test_create_notebook(ops_test: OpsTest, lightkube_client: Client):
     """Test notebook creation."""
-    lightkube_client = Client()
     this_ns = lightkube_client.get(res=Namespace, name=ops_test.model.name)
     lightkube_client.patch(res=Namespace, name=this_ns.metadata.name, obj=this_ns)
 
@@ -172,8 +182,30 @@ async def test_create_notebook(ops_test: OpsTest):
     assert_replicas(lightkube_client, notebook_resource, "sample-notebook", ops_test.model.name)
 
 
+@pytest.mark.parametrize("container_name", list(CONTAINERS_SECURITY_CONTEXT_MAP.keys()))
+@pytest.mark.abort_on_fail
+async def test_container_security_context(
+    ops_test: OpsTest,
+    lightkube_client: Client,
+    container_name: str,
+):
+    """Test container security context is correctly set.
+
+    Verify that container spec defines the security context with correct
+    user ID and group ID.
+    """
+    pod_name = get_pod_names(ops_test.model.name, APP_NAME)[0]
+    assert_security_context(
+        lightkube_client,
+        pod_name,
+        container_name,
+        CONTAINERS_SECURITY_CONTEXT_MAP,
+        ops_test.model.name,
+    )
+
+
 @pytest.mark.abort_on_fail
-async def test_remove_with_resources_present(ops_test: OpsTest):
+async def test_remove_with_resources_present(ops_test: OpsTest, lightkube_client: Client):
     """Test remove with all resources deployed.
 
     Verify that all deployed resources that need to be removed are removed.
@@ -184,7 +216,6 @@ async def test_remove_with_resources_present(ops_test: OpsTest):
     assert APP_NAME not in ops_test.model.applications
 
     # verify that all resources that were deployed are removed
-    lightkube_client = Client()
 
     # verify all CRDs in namespace are removed
     crd_list = lightkube_client.list(

charms/jupyter-controller/tests/integration/test_charm.py

@@ -8,6 +8,13 @@ issues: https://github.com/canonical/notebook-operators/issues
 containers:
   jupyter-ui:
     resource: oci-image
+    uid: 584792
+    gid: 584792
+    mounts:
+    - storage: config
+      location: /etc/config
+    - storage: logos
+      location: /src/apps/default/static/assets/logos/
 resources:
   oci-image:
     type: oci-image
@@ -77,3 +84,11 @@ provides:
     description: |
       Access a cross-model application from catalogue via the service mesh.
       This relation provides additional data required by the service mesh to enforce cross-model authorization policies.
+charm-user: non-root
+storage:
+  config:
+    type: filesystem
+    minimum-size: 1M
+  logos:
+    type: filesystem
+    minimum-size: 1M

charms/jupyter-ui/metadata.yaml

@@ -47,7 +47,7 @@ optional = true
 
 [tool.poetry.group.charm.dependencies]
 charmed-service-mesh-helpers = ">=0.2.0"
-charmed-kubeflow-chisme = ">=0.4.11"
+charmed-kubeflow-chisme = ">=0.4.14"
 serialized-data-interface = "<0.4"
 cosl = "^0.0.50"
 lightkube = "^0.15.6"

charms/jupyter-ui/poetry.lock

@@ -70,6 +70,7 @@
 TOLERATIONS_OPTIONS_CONFIG_DEFAULT = f"{TOLERATIONS_OPTIONS_CONFIG}-default"
 DEFAULT_PODDEFAULTS_CONFIG = "default-poddefaults"
 JWA_CONFIG_FILE = "src/templates/spawner_ui_config.yaml.j2"
+JWA_CONFIG_FILE_DST = "spawner_ui_config.yaml"
 
 IMAGE_CONFIGS = [
     JUPYTER_IMAGES_CONFIG,
@@ -120,7 +121,11 @@ def __init__(self, *args):
             " - entrypoint:app"
         )
         self._container_name = "jupyter-ui"
+        self._container_meta = self.meta.containers[self._container_name]
         self._container = self.unit.get_container(self._name)
+        self._config_storage_name = "config"
+        self._logos_storage_name = "logos"
+        self._container_meta = self.meta.containers[self._container_name]
 
         # setup context to be used for updating K8S resources
         self._context = {
@@ -302,10 +307,11 @@ def _upload_logos_files_to_container(self):
         splits it into files as expected by the workload,
         and pushes the files to the container.
         """
+        logos_storage_path = Path(self._container_meta.mounts[self._logos_storage_name].location)
         for file_name, file_content in yaml.safe_load(
             Path("src/logos-configmap.yaml").read_text()
         )["data"].items():
-            logo_file = "/src/apps/default/static/assets/logos/" + file_name
+            logo_file = logos_storage_path / file_name
             self.container.push(
                 logo_file,
                 file_content,
@@ -474,8 +480,9 @@ def _render_jwa_spawner_inputs(
 
     def _upload_jwa_file_to_container(self, file_content):
         """Pushes the JWA spawner config file to the workload container."""
+        config_storage_path = Path(self._container_meta.mounts[self._config_storage_name].location)
         self.container.push(
-            "/etc/config/spawner_ui_config.yaml",
+            config_storage_path / JWA_CONFIG_FILE_DST,
             file_content,
             make_dirs=True,
         )
@@ -519,6 +526,11 @@ def _on_pebble_ready(self, _):
         if not self._is_container_ready():
             return
 
+        try:
+            self._check_storage()
+        except CheckFailed as err:
+            self.model.unit.status = err.status
+            return
         # upload files to container
         self._upload_logos_files_to_container()
 
@@ -590,10 +602,23 @@ def _check_istio_relations(self):
                 BlockedStatus,
             )
 
+    def _check_storage(self):
+        """Check if storage is available."""
+        config_storage_path = Path(self._container_meta.mounts[self._config_storage_name].location)
+        logos_storage_path = Path(self._container_meta.mounts[self._logos_storage_name].location)
+
+        if not self.container.exists(config_storage_path):
+            self.logger.info('Storage "config" not yet available')
+            raise CheckFailed('Waiting for "config" storage', WaitingStatus)
+        if not self.container.exists(logos_storage_path):
+            self.logger.info('Storage "logos" not yet available')
+            raise CheckFailed('Waiting for "logos" storage', WaitingStatus)
+
     def main(self, _) -> None:
         """Perform all required actions of the Charm."""
         try:
             self._check_leader()
+            self._check_storage()
             self._deploy_k8s_resources()
             if self._is_container_ready():
                 self._update_layer()

charms/jupyter-ui/pyproject.toml

@@ -16,15 +16,20 @@
 from charmed_kubeflow_chisme.testing import (
     GRAFANA_AGENT_APP,
     assert_logging,
+    assert_security_context,
     deploy_and_assert_grafana_agent,
+    generate_container_securitycontext_map,
+    get_pod_names,
 )
+from lightkube import Client
 from pytest_operator.plugin import OpsTest
 
 logger = logging.getLogger(__name__)
 
 METADATA = yaml.safe_load(Path("./metadata.yaml").read_text())
 CONFIG = yaml.safe_load(Path("./config.yaml").read_text())
-APP_NAME = "jupyter-ui"
+APP_NAME = METADATA["name"]
+CONTAINERS_SECURITY_CONTEXT_MAP = generate_container_securitycontext_map(METADATA)
 JUPYTER_IMAGES_CONFIG = "jupyter-images"
 VSCODE_IMAGES_CONFIG = "vscode-images"
 RSTUDIO_IMAGES_CONFIG = "rstudio-images"
@@ -66,6 +71,13 @@
 ]
 
 
+@pytest.fixture(scope="session")
+def lightkube_client() -> Client:
+    """Return lightkube Kubernetes client."""
+    client = Client(field_manager=f"{APP_NAME}")
+    return client
+
+
 @pytest.mark.abort_on_fail
 async def test_build_and_deploy(ops_test: OpsTest, request):
     """Build and deploy the charm.
@@ -189,6 +201,28 @@ async def test_logging(ops_test):
     await assert_logging(app)
 
 
+@pytest.mark.parametrize("container_name", list(CONTAINERS_SECURITY_CONTEXT_MAP.keys()))
+@pytest.mark.abort_on_fail
+async def test_container_security_context(
+    ops_test: OpsTest,
+    lightkube_client: Client,
+    container_name: str,
+):
+    """Test container security context is correctly set.
+
+    Verify that container spec defines the security context with correct
+    user ID and group ID.
+    """
+    pod_name = get_pod_names(ops_test.model.name, APP_NAME)[0]
+    assert_security_context(
+        lightkube_client,
+        pod_name,
+        container_name,
+        CONTAINERS_SECURITY_CONTEXT_MAP,
+        ops_test.model.name,
+    )
+
+
 RETRY_120_SECONDS = tenacity.Retrying(
     stop=tenacity.stop_after_delay(120),
     wait=tenacity.wait_fixed(2),