Merge pull request #776 from vyzigold/least-privileges

[OSPRH-4293] Run containers with least privileges

Author: openshift-merge-bot[bot]

pkg/autoscaling/aodh_statefulset.go

@@ -30,6 +30,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
 
 	memcachedv1 "github.com/openstack-k8s-operators/infra-operator/apis/memcached/v1beta1"
 	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
@@ -38,7 +39,7 @@ import (
 
 const (
 	// ServiceCommand -
-	ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	ServiceCommand = "/usr/local/bin/kolla_start"
 )
 
 // AodhStatefulSet func
@@ -49,7 +50,7 @@ func AodhStatefulSet(
 	topology *topologyv1.Topology,
 	memcached *memcachedv1.Memcached,
 ) (*appsv1.StatefulSet, error) {
-	runAsUser := int64(0)
+	aodhUser := int64(AodhUserID)
 
 	livenessProbe := &corev1.Probe{
 		// TODO might need tuning
@@ -139,13 +140,10 @@ func AodhStatefulSet(
 		Command: []string{
 			"/bin/bash",
 		},
-		Args:  args,
-		Image: instance.Spec.Aodh.APIImage,
-		Name:  "aodh-api",
-		Env:   env.MergeEnvs([]corev1.EnvVar{}, envVarsAodh),
-		SecurityContext: &corev1.SecurityContext{
-			RunAsUser: &runAsUser,
-		},
+		Args:         args,
+		Image:        instance.Spec.Aodh.APIImage,
+		Name:         "aodh-api",
+		Env:          env.MergeEnvs([]corev1.EnvVar{}, envVarsAodh),
 		VolumeMounts: apiVolumeMounts,
 	}
 
@@ -154,13 +152,10 @@ func AodhStatefulSet(
 		Command: []string{
 			"/bin/bash",
 		},
-		Args:  args,
-		Image: instance.Spec.Aodh.EvaluatorImage,
-		Name:  "aodh-evaluator",
-		Env:   env.MergeEnvs([]corev1.EnvVar{}, envVarsAodh),
-		SecurityContext: &corev1.SecurityContext{
-			RunAsUser: &runAsUser,
-		},
+		Args:         args,
+		Image:        instance.Spec.Aodh.EvaluatorImage,
+		Name:         "aodh-evaluator",
+		Env:          env.MergeEnvs([]corev1.EnvVar{}, envVarsAodh),
 		VolumeMounts: evaluatorVolumeMounts,
 	}
 
@@ -169,13 +164,10 @@ func AodhStatefulSet(
 		Command: []string{
 			"/bin/bash",
 		},
-		Args:  args,
-		Image: instance.Spec.Aodh.NotifierImage,
-		Name:  "aodh-notifier",
-		Env:   env.MergeEnvs([]corev1.EnvVar{}, envVarsAodh),
-		SecurityContext: &corev1.SecurityContext{
-			RunAsUser: &runAsUser,
-		},
+		Args:         args,
+		Image:        instance.Spec.Aodh.NotifierImage,
+		Name:         "aodh-notifier",
+		Env:          env.MergeEnvs([]corev1.EnvVar{}, envVarsAodh),
 		VolumeMounts: notifierVolumeMounts,
 	}
 
@@ -184,13 +176,10 @@ func AodhStatefulSet(
 		Command: []string{
 			"/bin/bash",
 		},
-		Args:  args,
-		Image: instance.Spec.Aodh.ListenerImage,
-		Name:  "aodh-listener",
-		Env:   env.MergeEnvs([]corev1.EnvVar{}, envVarsAodh),
-		SecurityContext: &corev1.SecurityContext{
-			RunAsUser: &runAsUser,
-		},
+		Args:         args,
+		Image:        instance.Spec.Aodh.ListenerImage,
+		Name:         "aodh-listener",
+		Env:          env.MergeEnvs([]corev1.EnvVar{}, envVarsAodh),
 		VolumeMounts: listenerVolumeMounts,
 	}
 
@@ -208,6 +197,10 @@ func AodhStatefulSet(
 				notifierContainer,
 				listenerContainer,
 			},
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsUser:    &aodhUser,
+				RunAsNonRoot: ptr.To(true),
+			},
 		},
 	}
 

pkg/autoscaling/const.go

@@ -44,6 +44,9 @@ const (
 
 	// PrometheusEndpointSecret is the name of the secret containing Prometheus endpoint configuration
 	PrometheusEndpointSecret = "metric-storage-prometheus-endpoint"
+
+	// AodhUserID -
+	AodhUserID = 42402
 )
 
 // PrometheusReplicas -

pkg/autoscaling/dbsync.go

@@ -22,10 +22,11 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 const (
-	dbSyncCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	dbSyncCommand = "/usr/local/bin/kolla_start"
 )
 
 // DbSyncJob func
@@ -42,7 +43,7 @@ func DbSyncJob(instance *autoscalingv1beta1.Autoscaling, labels map[string]strin
 		volumeMounts = append(volumeMounts, instance.Spec.Aodh.TLS.CreateVolumeMounts(nil)...)
 	}
 
-	runAsUser := int64(0)
+	runAsUser := int64(AodhUserID)
 	envVars := map[string]env.Setter{}
 	envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS")
 	envVars["KOLLA_BOOTSTRAP"] = env.SetValue("TRUE")
@@ -80,7 +81,8 @@ func DbSyncJob(instance *autoscalingv1beta1.Autoscaling, labels map[string]strin
 							Args:  args,
 							Image: instance.Spec.Aodh.APIImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser:    &runAsUser,
+								RunAsNonRoot: ptr.To(true),
 							},
 							Env:          env.MergeEnvs(aodhPassword, envVars),
 							VolumeMounts: volumeMounts,

pkg/ceilometer/const.go

@@ -34,4 +34,7 @@ const (
 
 	// KollaConfigNotification -
 	KollaConfigNotification = "/var/lib/config-data/merged/config-notification.json"
+
+	// CeilometerUserID -
+	CeilometerUserID = 42405
 )

pkg/ceilometer/statefulset.go

@@ -35,7 +35,7 @@ import (
 
 const (
 	// ServiceCommand -
-	ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	ServiceCommand = "/usr/local/bin/kolla_start"
 	// CentralHCScript is the path to the central health check script
 	CentralHCScript = "/var/lib/openstack/bin/centralhealth.py"
 	// NotificationHCScript is the path to the notification health check script
@@ -49,7 +49,7 @@ func StatefulSet(
 	labels map[string]string,
 	topology *topologyv1.Topology,
 ) (*appsv1.StatefulSet, error) {
-	runAsUser := int64(0)
+	ceilometerUser := int64(CeilometerUserID)
 
 	// container probes
 	sgRootEndpointCurl := corev1.HTTPGetAction{
@@ -141,13 +141,10 @@ func StatefulSet(
 		Command: []string{
 			"/bin/bash",
 		},
-		Args:  args,
-		Image: instance.Spec.CentralImage,
-		Name:  "ceilometer-central-agent",
-		Env:   env.MergeEnvs([]corev1.EnvVar{}, envVarsCentral),
-		SecurityContext: &corev1.SecurityContext{
-			RunAsUser: &runAsUser,
-		},
+		Args:          args,
+		Image:         instance.Spec.CentralImage,
+		Name:          "ceilometer-central-agent",
+		Env:           env.MergeEnvs([]corev1.EnvVar{}, envVarsCentral),
 		VolumeMounts:  centralVolumeMounts,
 		LivenessProbe: centralLivenessProbe,
 	}
@@ -156,32 +153,31 @@ func StatefulSet(
 		Command: []string{
 			"/bin/bash",
 		},
-		Args:  args,
-		Image: instance.Spec.NotificationImage,
-		Name:  "ceilometer-notification-agent",
-		Env:   env.MergeEnvs([]corev1.EnvVar{}, envVarsNotification),
-		SecurityContext: &corev1.SecurityContext{
-			RunAsUser: &runAsUser,
-		},
+		Args:          args,
+		Image:         instance.Spec.NotificationImage,
+		Name:          "ceilometer-notification-agent",
+		Env:           env.MergeEnvs([]corev1.EnvVar{}, envVarsNotification),
 		VolumeMounts:  notificationVolumeMounts,
 		LivenessProbe: notificationLivenessProbe,
 	}
 	sgCoreContainer := corev1.Container{
 		ImagePullPolicy: corev1.PullAlways,
 		Image:           instance.Spec.SgCoreImage,
 		Name:            "sg-core",
+		VolumeMounts:    getSgCoreVolumeMounts(),
 		SecurityContext: &corev1.SecurityContext{
-			RunAsUser: &runAsUser,
+			AllowPrivilegeEscalation: ptr.To(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{
+					"ALL",
+				},
+			},
 		},
-		VolumeMounts: getSgCoreVolumeMounts(),
 	}
 	proxyContainer := corev1.Container{
 		ImagePullPolicy: corev1.PullAlways,
 		Image:           instance.Spec.ProxyImage,
 		Name:            "proxy-httpd",
-		SecurityContext: &corev1.SecurityContext{
-			RunAsUser: &runAsUser,
-		},
 		Ports: []corev1.ContainerPort{{
 			ContainerPort: int32(CeilometerPrometheusPort),
 			Name:          "proxy-httpd",
@@ -191,6 +187,14 @@ func StatefulSet(
 		LivenessProbe:  sgLivenessProbe,
 		Command:        []string{"/usr/sbin/httpd"},
 		Args:           []string{"-DFOREGROUND"},
+		SecurityContext: &corev1.SecurityContext{
+			AllowPrivilegeEscalation: ptr.To(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{
+					"ALL",
+				},
+			},
+		},
 	}
 
 	pod := corev1.PodTemplateSpec{
@@ -207,6 +211,12 @@ func StatefulSet(
 				sgCoreContainer,
 				proxyContainer,
 			},
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsUser:    &ceilometerUser,
+				RunAsGroup:   &ceilometerUser,
+				RunAsNonRoot: ptr.To(true),
+				FSGroup:      &ceilometerUser,
+			},
 		},
 	}
 

pkg/mysqldexporter/statefulset.go

@@ -42,8 +42,6 @@ func StatefulSet(
 	labels map[string]string,
 	topology *topologyv1.Topology,
 ) (*appsv1.StatefulSet, error) {
-	runAsUser := int64(0)
-
 	envVars := map[string]env.Setter{}
 	envVars["CONFIG_HASH"] = env.SetValue(configHash)
 
@@ -108,7 +106,12 @@ func StatefulSet(
 		Name:            ServiceName,
 		Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
 		SecurityContext: &corev1.SecurityContext{
-			RunAsUser: &runAsUser,
+			AllowPrivilegeEscalation: ptr.To(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{
+					"ALL",
+				},
+			},
 		},
 		VolumeMounts: volumeMounts,
 	}
@@ -125,6 +128,12 @@ func StatefulSet(
 				mysqldExporterContainer,
 			},
 			Volumes: volumes,
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsNonRoot: ptr.To(true),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+			},
 		},
 	}
 

templates/autoscaling/config/aodh-api-config.json

@@ -29,7 +29,7 @@
       {
         "source": "/var/lib/openstack/config/ssl.conf",
         "dest": "/etc/httpd/conf.d/ssl.conf",
-        "owner": "root",
+        "owner": "aodh",
         "perm": "0644"
     },
     {
@@ -70,5 +70,12 @@
         "optional": true,
         "merge": true
     }
+  ],
+    "permissions": [
+      {
+	  "path": "/etc/httpd/run",
+	  "owner": "aodh:apache",
+	  "recurse": true
+      }
   ]
 }

templates/autoscaling/config/httpd.conf

@@ -19,6 +19,7 @@ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-A
 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
 CustomLog /dev/stdout combined env=!forwarded
 CustomLog /dev/stdout proxy env=forwarded
+ErrorLog /dev/stdout
 
 # XXX: To disable SSL
 #Include conf.d/*.conf

tests/kuttl/suites/autoscaling/tests/01-assert.yaml

@@ -11,25 +11,25 @@ spec:
   containers:
   - args:
     - -c
-    - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+    - /usr/local/bin/kolla_start
     command:
     - /bin/bash
     name: aodh-api
   - args:
     - -c
-    - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+    - /usr/local/bin/kolla_start
     command:
     - /bin/bash
     name: aodh-evaluator
   - args:
     - -c
-    - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+    - /usr/local/bin/kolla_start
     command:
     - /bin/bash
     name: aodh-notifier
   - args:
     - -c
-    - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+    - /usr/local/bin/kolla_start
     command:
     - /bin/bash
     name: aodh-listener
@@ -68,25 +68,25 @@ spec:
       containers:
       - args:
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         command:
         - /bin/bash
         name: aodh-api
       - args:
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         command:
         - /bin/bash
         name: aodh-evaluator
       - args:
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         command:
         - /bin/bash
         name: aodh-notifier
       - args:
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         command:
         - /bin/bash
         name: aodh-listener