Run maas-rack and maas-region containers as non-privileged

The maas-rack and maas-region containers can successfully run and function as non-privileged if given the appropriate Linux capabilities. This change is a security enhancement as the maas-rack and maas-region containers now only have access to the capabiities it needs to do its job - instead of having full root access. The capabilities listed in the `statefulset-rack` and `statefulset-region` charts function as a whitelist in that the maas-rack and maas-region containers only have access to the Linux capabilities listed in their SecurityContext along with the default capabilties that Docker gives to unprivileged containers. The default list of capabilties include the following: - SETPCAP - MKNOD - AUDIT_WRITE - CHOWN - NET_RAW - DAC_OVERRIDE - FOWNER - FSETID - KILL - SETGID - SETUID - NET_BIND_SERVICE - SYS_CHROOT - SETFCAP The bcc-capable tool [0] was used to discover which Linux capabilities the maas-rack and maas-region containers invoke. The capabale tool, has the ability to record the Linux capabiltiies that are invoked by all the processes running in the container. While still running as privileged, the capable tool was installed and ran within the container during maas bootstrapping. When bootstrapping was complete, the list of Linux capabilities were reviewed and added to the appropriate charts. [0]https://github.com/iovisor/bcc/blob/master/tools/capable.py Change-Id: I11cf1da8ea8219320c4d3028502c133391116201
2019-01-31 21:05:23 +00:00 · 2019-01-31 21:05:23 +00:00 · 7857fdf2cf
parent 79db1a1811
commit 7857fdf2cf
2 changed files with 16 additions and 2 deletions
--- a/charts/maas/templates/statefulset-rack.yaml
+++ b/charts/maas/templates/statefulset-rack.yaml
@ -75,7 +75,14 @@ spec:
          command:
            - /tmp/start.sh
          securityContext:
-            privileged: true
+            capabilities:
+              add:
+                - 'DAC_READ_SEARCH'
+                - 'NET_ADMIN'
+                - 'SYS_ADMIN'
+                - 'SYS_PTRACE'
+                - 'SYS_RESOURCE'
+                - 'SYS_TIME'
          readinessProbe:
            initialDelaySeconds: 60
            periodSeconds: 300
--- a/charts/maas/templates/statefulset-region.yaml
+++ b/charts/maas/templates/statefulset-region.yaml
@ -65,7 +65,14 @@ spec:
            tcpSocket:
              port: {{ tuple "maas_region" "podport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
          securityContext:
-            privileged: true
+            capabilities:
+              add:
+                - 'SYS_ADMIN'
+                - 'NET_ADMIN'
+                - 'SYS_PTRACE'
+                - 'SYS_TIME'
+                - 'SYS_RESOURCE'
+                - 'DAC_READ_SEARCH'
          command:
            - /tmp/start.sh
          volumeMounts: