Page MenuHomePhabricator

Base Blubber policy file for CI
Closed, ResolvedPublic

Description

Blubber has built-in support for a policy file that can restrict any of the fields used in a Blubberfile. The base policyfile for CI ought to (as discussed during all-hand pipeline meeting) restrict the base-image for production to only those images from the Wikimedia Docker registry.

Details

Related Gerrit Patches:
operations/deployment-charts : masterblubberoid: Add policy file
blubber : masterUpdate go-playground validator

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 5 2019, 6:17 PM
thcipriani triaged this task as Medium priority.Feb 5 2019, 6:19 PM

Clarification needed from serviceops folks: is it only the base-image for the production variant we want to restrict?

FrEx: blubber uses the golang image to build blubberoid and then copies that artifact to the production image based on docker-registry.wikimedia.org/wikimedia-stretch

Clarification needed from serviceops folks: is it only the base-image for the production variant we want to restrict?
FrEx: blubber uses the golang image to build blubberoid and then copies that artifact to the production image based on docker-registry.wikimedia.org/wikimedia-stretch

By golang image meaning the one from Dockerhub? I am not particularly thrilled with that. e.g. Look at https://nvd.nist.gov/vuln/detail/CVE-2019-5736 for how a malicious image can lead to the compromise of the docker container host, and in our infrastructure the entirety of CI, which is in production networks (that's a discussion we need to open at some point). This is not the first kind of attack that exists regarding container escape and compromise of the host, nor will it be the last IMHO.

We should rely only on container images we know we can trust and the only currently feasible way to do that is to use our own registry. So my take would be to extend the policy to all variants.

fsero added a comment.Feb 15 2019, 9:50 AM

@thcipriani AFAIK the policy applies to every image not only for production ones, i think it should be fairly easy (look into [2]) to build a base image for go like the ones we publish for nodejs, we will need probably to use golang-go package from backports probably since golang-go on stretch ships 1.7 and reading quickly the code i saw a couple of things that requires a newer version.

[1] https://gerrit.wikimedia.org/r/plugins/gitiles/blubber/+/master/.pipeline/blubber.yaml#8
[2] https://github.com/docker-library/golang/blob/master/1.10/stretch/Dockerfile

mark added a subscriber: mark.Feb 15 2019, 11:11 AM

Change 516671 had a related patch set uploaded (by Thcipriani; owner: Thcipriani):
[blubber@master] Update go-playground validator

https://gerrit.wikimedia.org/r/516671

Change 517573 had a related patch set uploaded (by Thcipriani; owner: Thcipriani):
[operations/deployment-charts@master] blubberoid: Add policy file

https://gerrit.wikimedia.org/r/517573

Change 516671 merged by jenkins-bot:
[blubber@master] Update go-playground validator

https://gerrit.wikimedia.org/r/516671

Change 517573 merged by Thcipriani:
[operations/deployment-charts@master] blubberoid: Add policy file

https://gerrit.wikimedia.org/r/517573

thcipriani closed this task as Resolved.Jul 25 2019, 3:11 PM
thcipriani claimed this task.

Deployed the new blubberoid with the policy file in place yesterday.