Upstream Image Permissions Breaks Scanners

Bug

Description

After noticing cypress tests failures for Neuvector, traced the issue down to:

It appears upstream image neuvector:5 changed permissions on the certs located in /etc/neuvector/certs/internal/

Prior permissions:

drwxr-xr-x. 2 root root 4096 Oct  7 23:02 .
drwxr-xr-x. 3 root root 4096 Oct  7 23:01 ..
-rw-r--r--. 1 root root 1253 Oct  7 23:02 ca.cert
-rw-r--r--. 1 root root  912 Oct  7 23:02 cert.key
-rw-r--r--. 1 root root 1216 Oct  7 23:02 cert.pem

Current permissions:

drwxr-xr-x. 2 root root 4096 Nov 11 23:03 .
drwxr-xr-x. 3 root root 4096 Nov 11 23:02 ..
-rw-rw----. 1 root root 1253 Nov 11 23:03 ca.cert
-rw-rw----. 1 root root  912 Nov 11 23:03 cert.key
-rw-rw----. 1 root root 1216 Nov 11 23:03 cert.pem

Because Big Bang runs the pods as user 1000, the startup command -- /usr/local/bin/monitor fails immediately, and drops into a restart-loop.

As a result, no Scanner pods start up.

One possible fix for now would be to get Iron Bank to fix the permissions on the files. I tested this Dockerfile fix, and it solves the issue. Note that all files in /etc/neuvector/certs/internal/ need to be readable by the scanner user.

RUN useradd scanner && chmod 0740 /home/scanner/.[^.]*  && \
    chmod o+r /etc/neuvector/certs/internal/*