From e60ac758f19c1e633e322497331528e8c0c5d859 Mon Sep 17 00:00:00 2001
From: adawalli <adam.wallis@gmail.com>
Date: Thu, 7 Jan 2021 14:10:40 -0500
Subject: [PATCH] Allow permission fixup to scratch space (#101)

NFS Mounted Scratchspaces do not get properly permissioned according to
the k8s Volume 'fsGroup' property. The most common solution for fixing
this is to use an initContainer to fix the permissions before the target
deployed POD runs. This solution implements just such an initContainer.
By default, this change has no impact on existing deployments and is "on
by request only" feature.

This PR addresses https://github.com/anchore/anchore-charts/issues/100

Signed-off-by: Adam Wallis <adam.wallis@gmail.com>
---
 stable/anchore-engine/Chart.yaml                   |  2 +-
 .../templates/analyzer_deployment.yaml             | 14 ++++++++++++++
 .../templates/enterprise_feeds_deployment.yaml     | 14 ++++++++++++++
 .../templates/policy_engine_deployment.yaml        | 14 ++++++++++++++
 stable/anchore-engine/values.yaml                  |  5 +++++
 5 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml
index c304f9c1..4572ff69 100644
--- a/stable/anchore-engine/Chart.yaml
+++ b/stable/anchore-engine/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: anchore-engine
-version: 1.10.7
+version: 1.10.8
 appVersion: 0.8.2
 description: Anchore container analysis and policy evaluation engine service
 keywords:
diff --git a/stable/anchore-engine/templates/analyzer_deployment.yaml b/stable/anchore-engine/templates/analyzer_deployment.yaml
index 002258cd..c3d252bd 100644
--- a/stable/anchore-engine/templates/analyzer_deployment.yaml
+++ b/stable/anchore-engine/templates/analyzer_deployment.yaml
@@ -56,6 +56,20 @@ spec:
       - name: {{ . }}
       {{- end }}
     {{- end }}
+    {{- if and .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreGlobal.securityContext.fsGroup }}
+      initContainers:
+        - name: mode-fixer
+          image: alpine
+          securityContext:
+            runAsUser: 0
+          volumeMounts:
+            - name: {{ $component }}-scratch
+              mountPath: {{ .Values.anchoreGlobal.scratchVolume.mountPath }}
+          command:
+            - sh
+            - -c
+            - (chmod 0775 {{ .Values.anchoreGlobal.scratchVolume.mountPath }}; chgrp {{ .Values.anchoreGlobal.securityContext.fsGroup }} {{ .Values.anchoreGlobal.scratchVolume.mountPath }} )
+      {{- end }}
       containers:
       {{- if .Values.cloudsql.enabled  }}
       - name: cloudsql-proxy
diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml
index 595efd8a..37833f13 100644
--- a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml
+++ b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml
@@ -50,6 +50,20 @@ spec:
       {{- end }}
       imagePullSecrets:
       - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }}
+    {{- if and .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreGlobal.securityContext.fsGroup }}
+      initContainers:
+        - name: mode-fixer
+          image: alpine
+          securityContext:
+            runAsUser: 0
+          volumeMounts:
+            - name: {{ $component }}-scratch
+              mountPath: {{ .Values.anchoreGlobal.scratchVolume.mountPath }}
+          command:
+            - sh
+            - -c
+            - (chmod 0775 {{ .Values.anchoreGlobal.scratchVolume.mountPath }}; chgrp {{ .Values.anchoreGlobal.securityContext.fsGroup }} {{ .Values.anchoreGlobal.scratchVolume.mountPath }} )
+      {{- end }}
       containers:
       {{- if .Values.cloudsql.enabled  }}
       - name: cloudsql-proxy
diff --git a/stable/anchore-engine/templates/policy_engine_deployment.yaml b/stable/anchore-engine/templates/policy_engine_deployment.yaml
index f2a2b1e2..c3c6979b 100644
--- a/stable/anchore-engine/templates/policy_engine_deployment.yaml
+++ b/stable/anchore-engine/templates/policy_engine_deployment.yaml
@@ -56,6 +56,20 @@ spec:
       - name: {{ . }}
       {{- end }}
     {{- end }}
+    {{- if and .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreGlobal.securityContext.fsGroup }}
+      initContainers:
+        - name: mode-fixer
+          image: alpine
+          securityContext:
+            runAsUser: 0
+          volumeMounts:
+            - name: {{ $component }}-scratch
+              mountPath: {{ .Values.anchoreGlobal.scratchVolume.mountPath }}
+          command:
+            - sh
+            - -c
+            - (chmod 0775 {{ .Values.anchoreGlobal.scratchVolume.mountPath }}; chgrp {{ .Values.anchoreGlobal.securityContext.fsGroup }} {{ .Values.anchoreGlobal.scratchVolume.mountPath }} )
+      {{- end }}
       containers:
       {{- if .Values.cloudsql.enabled  }}
       - name: cloudsql-proxy
diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml
index d5e5d297..2874c663 100644
--- a/stable/anchore-engine/values.yaml
+++ b/stable/anchore-engine/values.yaml
@@ -129,6 +129,10 @@ anchoreGlobal:
   # The scratchVolume controls the mounting of an external volume for scratch space for image analysis. Generally speaking
   # you need to provision 3x the size of the largest image (uncompressed) that you want to analyze for this space.
   scratchVolume:
+    # Some k8s Volumes do not properly respect the fsGroup permissions. These volumes will get mounted as root:root
+    # regardless of the security permissions requested. The fixGroupPermissions will create an initContainer that will
+    # fixup the permissions.
+    fixGroupPermissions: false
     mountPath: /analysis_scratch
     details:
       # Specify volume configuration here
@@ -143,6 +147,7 @@ anchoreGlobal:
   securityContext:
     runAsUser: 1000
     runAsGroup: 1000
+    fsGroup: 1000
 
   ###
   # Start of General Anchore Engine Configurations (populates /config/config.yaml)