Enhance security in Docker build and agent API configurations

[hanzjk]

Purpose

Describe the problems, issues, or needs driving this feature/fix and include links to related issues in the following format: Resolves issue1, issue2, etc.

Resolves #523

Goals

Describe the solutions that this feature/fix will introduce to resolve the problems described above

Approach

Describe how you are implementing the solutions. Include an animated GIF or screenshot if the change affects the UI (email documentation@wso2.com to review all UI text). Include a link to a Markdown file or Google doc if the feature write-up is too long to paste here.

User stories

Summary of user stories addressed by this change>

Release note

Brief description of the new feature or bug fix as it will appear in the release notes

Documentation

Link(s) to product documentation that addresses the changes of this PR. If no doc impact, enter �N/A� plus brief explanation of why there�s no doc impact

Training

Link to the PR for changes to the training content in https://github.com/wso2/WSO2-Training, if applicable

Certification

Type �Sent� when you have provided new/updated certification questions, plus four answers for each question (correct answer highlighted in bold), based on this change. Certification questions/answers should be sent to certification@wso2.com and NOT pasted in this PR. If there is no impact on certification exams, type �N/A� and explain why.

Marketing

Link to drafts of marketing content that will describe and promote this feature, including product page changes, technical articles, blog posts, videos, etc., if applicable

Automation tests

• Unit tests

  Code coverage information

• Integration tests

  Details about the test cases and coverage

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes/no
• Ran FindSecurityBugs plugin and verified report? yes/no
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes/no

Samples

Provide high-level details about the samples related to this feature

Related PRs

List any other related PRs

Migrations (if applicable)

Describe migration steps and platforms on which migration has been tested

Test environment

List all JDK versions, operating systems, databases, and browser/versions on which this feature/fix was tested

Learning

Describe the research phase and any blog posts, patterns, libraries, or add-ons you used to solve the problem.

Summary by CodeRabbit

• Chores

  • Updated build configuration to ignore the website directory.

• Security

  • Enforced non-root runtime for pods and containers.
  • Hardened containers with read-only root filesystem, disabled privilege escalation, dropped capabilities, and default seccomp.
  • Added build-time checks to fail image builds that resolve to root.
  • Adjusted ephemeral storage mounts for tmp, data, and cache with size limits.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 812974ea-1711-4c76-b9cd-3e74c56eae1b

📥 Commits

Reviewing files that changed from the base of the PR and between 18a8b22 and f2749d8.

📒 Files selected for processing (4)

• deployments/helm-charts/wso2-amp-build-extension/templates/cluster-workflow-templates/balleina-buildpack-build.yaml
• deployments/helm-charts/wso2-amp-build-extension/templates/cluster-workflow-templates/docker-buildpack-build.yaml
• deployments/helm-charts/wso2-amp-build-extension/templates/cluster-workflow-templates/google-buildpack-build.yaml
• deployments/helm-charts/wso2-amp-platform-resources-extension/templates/component-types/agent-api.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• deployments/helm-charts/wso2-amp-build-extension/templates/cluster-workflow-templates/docker-buildpack-build.yaml

---

📝 Walkthrough

Walkthrough

Added non-root verification to multiple build workflows, hardened agent pod securityContext and writable emptyDir mounts, and updated .gitignore to ignore website/.

Changes

Cohort / File(s)	Summary
Git ignore /.gitignore	Appended website/ to ignore patterns.
Build workflow templates deployments/helm-charts/wso2-amp-build-extension/templates/cluster-workflow-templates/docker-buildpack-build.yaml, deployments/helm-charts/wso2-amp-build-extension/templates/cluster-workflow-templates/balleina-buildpack-build.yaml, deployments/helm-charts/wso2-amp-build-extension/templates/cluster-workflow-templates/google-buildpack-build.yaml	Added post-build image verification: log target image, run podman inspect to read Config.User, parse user (pre-:), fail (exit 1) if empty or root (0/root), log verified non-root user, then save/export image only after verification.
Agent pod security deployments/helm-charts/wso2-amp-platform-resources-extension/templates/component-types/agent-api.yaml	Applied pod-level securityContext (runAsNonRoot: true, runAsUser: 65534, fsGroup: 65534) and container securityContext (readOnlyRootFilesystem: true, allowPrivilegeEscalation: false, capabilities.drop: ["ALL"], seccompProfile.type: RuntimeDefault). Replaced volume emission with concatenated mounts and added emptyDir mounts for /tmp (200Mi), /data (500Mi), and /home/nobody/.cache (200Mi).

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Workflow as Workflow Step
participant Builder as Build Tool (pack/podman)
participant Image as Built Image
participant Storage as Image Save (/mnt/vol)

Workflow->>Builder: invoke build (pack/podman)
Builder->>Image: produce image:TAG
Workflow->>Builder: podman inspect image:TAG -> .Config.User
alt user empty or root (0/root)
    Workflow->>Workflow: exit 1 (fail build)
else non-root user
    Workflow->>Workflow: log verified user
    Workflow->>Storage: podman save /mnt/vol/app-image.tar
    Workflow->>Workflow: log "Build complete"

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped through builds with watchful eye,
Inspected users low and high,
No root allowed to roam or stay,
Read‑only roots keep mischief at bay,
EmptyDirs parked, safe paths to play.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description includes only the Purpose section (with linked issue #523) but is otherwise a template with placeholder text. All other required sections (Goals, Approach, User stories, Release note, Documentation, Training, Certification, Marketing, Automation tests, Security checks, Samples, Related PRs, Migrations, Test environment, Learning) remain unfilled.	Complete all required description sections: fill in Goals, Approach, User stories, Release note, Documentation, Training, Certification, Marketing, test details, Security checks (yes/no answers), Samples, Related PRs, Migrations, Test environment, and Learning.
Out of Scope Changes check	❓ Inconclusive	The .gitignore change (adding website/ directory) appears unrelated to issue #523 security hardening objectives and may be incidental; unclear if this was intentional or necessary for the PR.	Clarify whether the .gitignore change (website/ directory) is necessary for this PR or should be in a separate commit. If unrelated, remove it.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Enhance security in Docker build and agent API configurations' accurately summarizes the main changes: adding security verification to build workflows and applying securityContext to agent API deployment specs.
Linked Issues check	✅ Passed	The PR successfully addresses all key coding requirements from issue #523: non-root user verification in build scripts (docker-buildpack, ballerina-buildpack, google-buildpack templates), pod/container securityContext (agent-api.yaml), and emptyDir volumes with sizeLimit for writable paths.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@deployments/helm-charts/wso2-amp-build-extension/templates/cluster-workflow-templates/docker-buildpack-build.yaml`:
- Around line 44-63: The current non-root check only rejects empty, "0" or
"root" but misses colon-separated forms like "0:0" or "root:docker"; update the
verification logic that reads IMAGE_USER (from the podman inspect call that sets
IMAGE_USER) to treat any value whose user part (the substring before a ":" if
present) is "0" or "root" as root—e.g., split on ":" or use a regex to test
^(0|root)(:|$) and fail if matched—and keep the existing empty check; then
copy/apply this same verification block (the IMAGE_USER check that runs after
podman inspect and before podman save) into the other buildpack templates (the
google-buildpack-build.yaml and balleina-buildpack-build.yaml) so they perform
the same non-root validation prior to their podman save steps.

In
`@deployments/helm-charts/wso2-amp-platform-resources-extension/templates/component-types/agent-api.yaml`:
- Around line 152-153: The pod securityContext currently sets runAsNonRoot in
the securityContext block (see securityContext: runAsNonRoot: true) but is
missing the required runAsUser and fsGroup; update the same securityContext to
include runAsUser: 65534 and fsGroup: 65534 so the pod explicitly runs as the
nobody UID and files on mounted volumes are group-owned correctly — add these
two fields alongside runAsNonRoot in the securityContext for the pod spec.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1fe735b7-b56f-4daf-85a2-0d2602ce7d02

📥 Commits

Reviewing files that changed from the base of the PR and between ec8762a and 18a8b22.

📒 Files selected for processing (3)

• .gitignore
• deployments/helm-charts/wso2-amp-build-extension/templates/cluster-workflow-templates/docker-buildpack-build.yaml
• deployments/helm-charts/wso2-amp-platform-resources-extension/templates/component-types/agent-api.yaml