Browse Source

Run maas-rack and maas-region containers as non-privileged

The maas-rack and maas-region containers can successfully run and function
as non-privileged if given the appropriate Linux capabilities. This change
is a security enhancement as the maas-rack and maas-region containers now only
have access to the capabiities it needs to do its job - instead of having full
root access.

The capabilities listed in the `statefulset-rack` and `statefulset-region`
charts function as a whitelist in that the maas-rack and maas-region containers
only have access to the Linux capabilities listed in their SecurityContext
along with the default capabilties that Docker gives to unprivileged containers.
The default list of capabilties include the following:
  - SETPCAP
  - MKNOD
  - AUDIT_WRITE
  - CHOWN
  - NET_RAW
  - DAC_OVERRIDE
  - FOWNER
  - FSETID
  - KILL
  - SETGID
  - SETUID
  - NET_BIND_SERVICE
  - SYS_CHROOT
  - SETFCAP

The bcc-capable tool [0] was used to discover which Linux capabilities the
maas-rack and maas-region containers invoke. The capabale tool, has the ability
to record the Linux capabiltiies that are invoked by all the processes running
in the container. While still running as privileged, the capable tool was
installed and ran within the container during maas bootstrapping. When
bootstrapping was complete, the list of Linux capabilities were reviewed and
added to the appropriate charts.

[0]https://github.com/iovisor/bcc/blob/master/tools/capable.py

Change-Id: I11cf1da8ea8219320c4d3028502c133391116201
Rick Bartra 2 months ago
parent
commit
7857fdf2cf

+ 8
- 1
charts/maas/templates/statefulset-rack.yaml View File

@@ -75,7 +75,14 @@ spec:
75 75
           command:
76 76
             - /tmp/start.sh
77 77
           securityContext:
78
-            privileged: true
78
+            capabilities:
79
+              add:
80
+                - 'DAC_READ_SEARCH'
81
+                - 'NET_ADMIN'
82
+                - 'SYS_ADMIN'
83
+                - 'SYS_PTRACE'
84
+                - 'SYS_RESOURCE'
85
+                - 'SYS_TIME'
79 86
           readinessProbe:
80 87
             initialDelaySeconds: 60
81 88
             periodSeconds: 300

+ 8
- 1
charts/maas/templates/statefulset-region.yaml View File

@@ -65,7 +65,14 @@ spec:
65 65
             tcpSocket:
66 66
               port: {{ tuple "maas_region" "podport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
67 67
           securityContext:
68
-            privileged: true
68
+            capabilities:
69
+              add:
70
+                - 'SYS_ADMIN'
71
+                - 'NET_ADMIN'
72
+                - 'SYS_PTRACE'
73
+                - 'SYS_TIME'
74
+                - 'SYS_RESOURCE'
75
+                - 'DAC_READ_SEARCH'
69 76
           command:
70 77
             - /tmp/start.sh
71 78
           volumeMounts:

Loading…
Cancel
Save