Changes falcosidekick and falcosidekick-ui rock bases to bare

Switching to a bare-based image will reduce the overall image size and reduces attack surface area. We can no longer use ensure_image_contains_paths to check if files exist in the rock images, since they are now bare-based. Instead, we can use ensure_image_contains_paths_bare, which checks the image layers instead. Because of this, we need sufficient permissions to check the /var/lib/docker folder. Adds additional check for falcosidekick-ui during the integration test.
claudiubelu · Oct 28, 2024 · 22cb499 · 22cb499
1 parent 1fbc44a
commit 22cb499
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 36 deletions.
diff --git a/falcosidekick-ui/2.2.0/rockcraft.yaml b/falcosidekick-ui/2.2.0/rockcraft.yaml
@@ -10,7 +10,7 @@ description: |
 license: Apache-2.0
 version: 2.2.0
 
-base: [email protected]
+base: bare
 build-base: [email protected]
 run-user: _daemon_
 
@@ -43,9 +43,12 @@ parts:
   # https://github.com/falcosecurity/falcosidekick-ui/blob/v2.2.0/Dockerfile#L8
   falcosidekickui-user:
     plugin: nil
-    overlay-script: |
-      groupadd -R $CRAFT_OVERLAY --system falcosidekickui
-      useradd -R $CRAFT_OVERLAY --system -g falcosidekickui -u 1234 falcosidekickui
+    stage-packages:
+      - base-passwd_data
+      - base-files_base
+    override-build: |
+      groupadd -R $CRAFT_PART_INSTALL --system falcosidekickui
+      useradd -R $CRAFT_PART_INSTALL --system -g falcosidekickui -u 1234 falcosidekickui
 
   build-falcosidekick-ui:
     plugin: nil

diff --git a/falcosidekick/2.29.0/rockcraft.yaml b/falcosidekick/2.29.0/rockcraft.yaml
@@ -10,7 +10,7 @@ description: |
 license: Apache-2.0
 version: 2.29.0
 
-base: [email protected]
+base: bare
 build-base: [email protected]
 
 platforms:
@@ -35,9 +35,12 @@ parts:
   # https://github.com/falcosecurity/falcosidekick/blob/2.29.0/Dockerfile#L8
   falcosidekick-user:
     plugin: nil
-    overlay-script: |
-      groupadd -R $CRAFT_OVERLAY --system falcosidekick
-      useradd -R $CRAFT_OVERLAY --system -g falcosidekick -u 1234 falcosidekick
+    stage-packages:
+      - base-passwd_data
+      - base-files_base
+    override-build: |
+      groupadd -R $CRAFT_PART_INSTALL --system falcosidekick
+      useradd -R $CRAFT_PART_INSTALL --system -g falcosidekick -u 1234 falcosidekick
 
   build-falcosidekick:
     plugin: nil

diff --git a/tests/integration/test_falco.py b/tests/integration/test_falco.py
@@ -122,11 +122,10 @@ def _get_falco_helm_cmd(falco_version: str):
     )
 
 
-def _assert_falco_exporter_up(instance: harness.Instance):
-    # Assert that falco-exporter is responsive. The falco-exporter image is a bare image,
-    # so, we're using the falco Pod to curl the falco-exporter endpoint instead.
-    LOG.info("Checking if falco-exporter is being responsive.")
-    process = instance.exec(
+def _curl_service_via_falco(
+    instance: harness.Instance, svc_name: string, port: int, endpoint: str
+):
+    return instance.exec(
         [
             "k8s",
             "kubectl",
@@ -137,13 +136,19 @@ def _assert_falco_exporter_up(instance: harness.Instance):
             "--",
             "curl",
             "-s",
-            "http://falco-exporter:9376/metrics",
+            f"http://{svc_name}:{port}/{endpoint}",
         ],
         check=True,
         capture_output=True,
         text=True,
     )
 
+
+def _assert_falco_exporter_up(instance: harness.Instance):
+    # Assert that falco-exporter is responsive. The falco-exporter image is a bare image,
+    # so, we're using the falco Pod to curl the falco-exporter endpoint instead.
+    LOG.info("Checking if falco-exporter is being responsive.")
+    process = _curl_service_via_falco(instance, "falco-exporter", 9376, "metrics")
     assert (
         "Total number of scrapes" in process.stdout
     ), "Expected falco-exporter to return metrics."
@@ -152,30 +157,23 @@ def _assert_falco_exporter_up(instance: harness.Instance):
 def _assert_falcosidekick_up(instance: harness.Instance):
     # Assert that falcosidekick is responsive. It has a ping method, to which we should get pong.
     # The falcosidekick image does not have curl or wget, but the falco image does.
-    LOG.info("Checking if Falco detected irregularities.")
-    process = instance.exec(
-        [
-            "k8s",
-            "kubectl",
-            "--namespace",
-            "falco",
-            "exec",
-            f"{constants.K8S_DAEMONSET}/falco",
-            "--",
-            "curl",
-            "-s",
-            "http://falcosidekick:2801/ping",
-        ],
-        check=True,
-        capture_output=True,
-        text=True,
-    )
-
+    LOG.info("Checking if falcosidekick is being responsive.")
+    process = _curl_service_via_falco(instance, "falcosidekick", 2801, "ping")
     assert (
         "pong" in process.stdout
     ), "Expected falcosidekick to respond with pong to ping."
 
 
+def _assert_falcosidekick_ui_up(instance: harness.Instance):
+    # Assert that falcosidekick-ui is responsive.
+    # The falcosidekick-ui image does not have curl or wget, but the falco image does.
+    LOG.info("Checking if falcosidekick-ui is being responsive.")
+    process = _curl_service_via_falco(
+        instance, "falcosidekick-ui", 2802, "api/v1/healthz"
+    )
+    assert "ok" in process.stdout, "Expected falcosidekick-ui to respond with ok."
+
+
 def _assert_falco_logs(instance: harness.Instance):
     # Falco should have noticed the unexpected behaviour from the event-generator, and it should
     # have logged these events to stdout by default.
@@ -264,4 +262,5 @@ def test_integration_falco(function_instance: harness.Instance, image_version):
 
     _assert_falco_logs(function_instance)
     _assert_falcosidekick_up(function_instance)
+    _assert_falcosidekick_ui_up(function_instance)
     _assert_falco_exporter_up(function_instance)
diff --git a/tests/sanity/test_falcosidekick.py b/tests/sanity/test_falcosidekick.py
@@ -21,7 +21,7 @@ def test_falcosidekick_rock(image_version):
     image = rock.image
 
     # check rock filesystem.
-    docker_util.ensure_image_contains_paths(image, ROCK_EXPECTED_FILES)
+    docker_util.ensure_image_contains_paths_bare(image, ROCK_EXPECTED_FILES)
 
     # check binary.
     process = docker_util.run_in_docker(

diff --git a/tests/sanity/test_falcosidekick_ui.py b/tests/sanity/test_falcosidekick_ui.py
@@ -22,7 +22,7 @@ def test_falcosidekick_ui_rock(image_version):
     image = rock.image
 
     # check rock filesystem.
-    docker_util.ensure_image_contains_paths(image, ROCK_EXPECTED_FILES)
+    docker_util.ensure_image_contains_paths_bare(image, ROCK_EXPECTED_FILES)
 
     # check binary.
     process = docker_util.run_in_docker(image, ["/app/falcosidekick-ui", "-v"])

diff --git a/tests/tox.ini b/tests/tox.ini
@@ -38,8 +38,10 @@ commands =
 description = Run sanity tests
 passenv = *
 deps = -r {tox_root}/requirements-test.txt
+allowlist_externals =
+    sudo
 commands =
-    pytest -v \
+    sudo -E {envpython} -m pytest -v \
         --maxfail 1 \
         --tb native \
         --log-cli-level DEBUG \