Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

control-service: Secure job builder image #936

Merged
merged 3 commits into from
Aug 23, 2022
Merged

control-service: Secure job builder image #936

merged 3 commits into from
Aug 23, 2022

Conversation

gabrielgeorgiev1
Copy link
Contributor

@gabrielgeorgiev1 gabrielgeorgiev1 commented Aug 10, 2022
edited
Loading

This change instantiates a new job builder image, which
will feature a set of security improvements. The first
improvement is the removal of execute privileges from
files composing a Data job.

Testing done: deployed job using new builder image and
verified it works

Signed-off-by: Gabriel Georgiev [email protected]

@gabrielgeorgiev1
control-service: Secure job builder image
e89aeab 
This change instantiates a new job builder image, which
will feature a set of security improvements. The first
improvement is the removal of execute privileges from
files composing a Data job.

Testing done: TBD

Signed-off-by: Gabriel Georgiev <[email protected]>
@mivanov1988
Copy link
Collaborator

Have you tested it?

@antoniivanov
Copy link
Collaborator

antoniivanov commented Aug 10, 2022
edited
Loading

Is there a difference here between this and https://github.com/vmware/versatile-data-kit/blob/main/projects/control-service/projects/job-builder/

If yes, what is it?

If not, then please reuse it. Let's follow DRY principle (hint: use other image as base image)

@gabrielgeorgiev1
cut redundancy in CI file
cdf73f0 
Signed-off-by: Gabriel Georgiev <[email protected]>
@gabrielgeorgiev1 gabrielgeorgiev1 enabled auto-merge (squash) August 23, 2022 09:19
@mivanov1988
Copy link
Collaborator

mivanov1988 commented Aug 23, 2022
edited
Loading

Is there a difference here between this and https://github.com/vmware/versatile-data-kit/blob/main/projects/control-service/projects/job-builder/

If yes, what is it?

If not, then please reuse it. Let's follow DRY principle (hint: use other image as base image)

I prefer to keep them separate since we will completely rewrite the secure job builder image in the upcoming GitHub Issues.

@gabrielgeorgiev1 gabrielgeorgiev1 merged commit 38f1061 into main Aug 23, 2022
@gabrielgeorgiev1 gabrielgeorgiev1 deleted the person/gageorgiev/exec-privileges branch August 23, 2022 09:36
@antoniivanov
Copy link
Collaborator

Is there a difference here between this and https://github.com/vmware/versatile-data-kit/blob/main/projects/control-service/projects/job-builder/
If yes, what is it?
If not, then please reuse it. Let's follow DRY principle (hint: use other image as base image)

I prefer to keep them separate since we will completely rewrite the secure job builder image in the upcoming GitHub Issues.

We need 2 types of job-builder images - one that is less restrictive secure and easier to get started with. Let's call it "default". And one that is secure. Things like support for ECR, configuration git and authentication,etc clearly belong in both so they should be provided out of the default.

Also the secure image would be an example for "DevOps" plugin - e.g how one can extend capabilities of VDK during deployment cycle.

I am not OK in replicating code both unless there's a good reason.
Though I am fine if during development we diverge them but we need to go to a DRY approach by the end of the initiative.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mivanov1988 mivanov1988 mivanov1988 approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@gabrielgeorgiev1 @mivanov1988 @antoniivanov @vmwclabot