Merge pull request #10 from vyzigold/ck_lowest_privileges

[OSPRH-21081] Lower privileges for CK related pods

Author: jlarriba

pkg/cloudkitty/const.go

@@ -62,6 +62,9 @@ const (
 	CaConfigmapName = "lokistack-ca"
 	// CaConfigmapKey is the key in the CA configmap
 	CaConfigmapKey = "ca.crt"
+
+	// CloudKittyUserID -
+	CloudKittyUserID = 42406
 )
 
 // ResultRequeue is a ctrl.Result that requeues after NormalDuration

pkg/cloudkitty/dbsync.go

@@ -23,6 +23,7 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 const (
@@ -34,7 +35,7 @@ const (
 	//       If we are doing rolling upgrades we'll need to use the flag
 	//       conditionally (only for adoption) and do the restart cycle of
 	//       services as described in the upstream rolling upgrades process.
-	dbSyncCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	dbSyncCommand = "/usr/local/bin/kolla_start"
 )
 
 // DbSyncJob func
@@ -51,7 +52,7 @@ func DbSyncJob(instance *telemetryv1.CloudKitty, labels map[string]string, annot
 		volumeMounts = append(volumeMounts, instance.Spec.CloudKittyAPI.TLS.CreateVolumeMounts(nil)...)
 	}
 
-	runAsUser := int64(0)
+	runAsUser := int64(CloudKittyUserID)
 	envVars := map[string]env.Setter{}
 	envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS")
 	envVars["KOLLA_BOOTSTRAP"] = env.SetValue("TRUE")
@@ -92,7 +93,8 @@ func DbSyncJob(instance *telemetryv1.CloudKitty, labels map[string]string, annot
 							Args:  args,
 							Image: instance.Spec.CloudKittyAPI.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser:    &runAsUser,
+								RunAsNonRoot: ptr.To(true),
 							},
 							Env:          env.MergeEnvs(cloudKittyPassword, envVars),
 							VolumeMounts: volumeMounts,

pkg/cloudkitty/storageinit.go

@@ -23,6 +23,7 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 const (
@@ -34,7 +35,7 @@ const (
 	//       If we are doing rolling upgrades we'll need to use the flag
 	//       conditionally (only for adoption) and do the restart cycle of
 	//       services as described in the upstream rolling upgrades process.
-	storageInitCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	storageInitCommand = "/usr/local/bin/kolla_start"
 )
 
 // StorageInitJob func
@@ -50,7 +51,7 @@ func StorageInitJob(instance *telemetryv1.CloudKitty, labels map[string]string,
 		volumeMounts = append(volumeMounts, instance.Spec.CloudKittyAPI.TLS.CreateVolumeMounts(nil)...)
 	}
 
-	runAsUser := int64(0)
+	runAsUser := int64(CloudKittyUserID)
 	envVars := map[string]env.Setter{}
 	envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS")
 	envVars["KOLLA_BOOTSTRAP"] = env.SetValue("TRUE")
@@ -91,7 +92,8 @@ func StorageInitJob(instance *telemetryv1.CloudKitty, labels map[string]string,
 							Args:  args,
 							Image: instance.Spec.CloudKittyAPI.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser:    &runAsUser,
+								RunAsNonRoot: ptr.To(true),
 							},
 							Env:          env.MergeEnvs(cloudKittyPassword, envVars),
 							VolumeMounts: volumeMounts,

pkg/cloudkitty/volumes.go

@@ -6,7 +6,7 @@ import (
 
 var (
 	// scriptMode is the default permissions mode for Scripts volume
-	scriptMode int32 = 0740
+	scriptMode int32 = 0755
 	// configMode is the 640 permissions mode
 	configMode int32 = 0640
 	// certMode is the 400 permissions mode

pkg/cloudkittyapi/statefulset.go

@@ -27,11 +27,12 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
 )
 
 const (
 	// ServiceCommand -
-	ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	ServiceCommand = "/usr/local/bin/kolla_start"
 )
 
 // StatefulSet func
@@ -42,8 +43,7 @@ func StatefulSet(
 	annotations map[string]string,
 	topology *topologyv1.Topology,
 ) (*appsv1.StatefulSet, error) {
-	runAsUser := int64(0)
-	//cloudKittyUser := int64(telemetryv1.CloudKittyUserID)
+	runAsUser := int64(cloudkitty.CloudKittyUserID)
 
 	livenessProbe := &corev1.Probe{
 		// TODO might need tuning
@@ -140,10 +140,7 @@ func StatefulSet(
 								"-c",
 								"/usr/bin/tail -n+1 -F " + LogFile + " 2>/dev/null",
 							},
-							Image: instance.Spec.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
-							},
+							Image:        instance.Spec.ContainerImage,
 							Env:          env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts: []corev1.VolumeMount{GetLogVolumeMount()},
 							Resources:    instance.Spec.Resources,
@@ -153,18 +150,19 @@ func StatefulSet(
 							Command: []string{
 								"/bin/bash",
 							},
-							Args:  args,
-							Image: instance.Spec.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
-							},
+							Args:           args,
+							Image:          instance.Spec.ContainerImage,
 							Env:            env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts:   volumeMounts,
 							Resources:      instance.Spec.Resources,
 							ReadinessProbe: readinessProbe,
 							LivenessProbe:  livenessProbe,
 						},
 					},
+					SecurityContext: &corev1.PodSecurityContext{
+						RunAsUser:    &runAsUser,
+						RunAsNonRoot: ptr.To(true),
+					},
 					Volumes: volumes,
 				},
 			},

pkg/cloudkittyproc/statefulset.go

@@ -24,11 +24,12 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 const (
 	// ServiceCommand -
-	ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	ServiceCommand = "/usr/local/bin/kolla_start"
 	// CloudKittyHCScript is the path to the health check script
 	CloudKittyHCScript = "/var/lib/openstack/bin/healthcheck.py"
 )
@@ -41,9 +42,7 @@ func StatefulSet(
 	annotations map[string]string,
 	topology *topologyv1.Topology,
 ) *appsv1.StatefulSet {
-	cloudKittyUser := int64(0)
-	// cloudKittyUser := int64(telemetryv1.CloudKittyUserID)
-	// cloudKittyGroup := int64(telemetryv1.CloudKittyGroupID)
+	runAsUser := int64(cloudkitty.CloudKittyUserID)
 
 	// TODO until we determine how to properly query for these
 	livenessProbe := &corev1.Probe{
@@ -105,7 +104,8 @@ func StatefulSet(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &cloudKittyUser,
+								RunAsUser:    &runAsUser,
+								RunAsNonRoot: ptr.To(true),
 							},
 							Env:           env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts:  volumeMounts,