Run haproxy pod with the nobody user (65534)

To be able to run with the nobody user, an init container
is used in the haproxy-anchor pod to change the ownership and
permissions of '/host/etc/promenade/haproxy'. Security conext
was included in 'etc/kubernetes/manifests/haproxy.yaml' and
'promenade/schemas/Genesis.yaml' schema was updated to included
run_as_user property for haproxy pod.

Change-Id: Id248face0be43c417284ceb781997634a9c4dd5e

charts/haproxy/templates/bin/_anchor.tpl

@@ -114,6 +114,7 @@ install_config() {
             echo HAProxy config file unchanged.
         fi
         chmod -R go-rwx $(dirname "$HAPROXY_CONF")
+        chown -R $RUNASUSER:$RUNASUSER $(dirname "$HAPROXY_CONF")
     fi
 }
 

charts/haproxy/templates/bin/_perms_update.tpl

@@ -0,0 +1,24 @@
+#!/bin/sh
+{{/*
+Copyright 2019 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- $envAll := . }}
+
+set -x
+
+RUNASUSER={{ .Values.pod.security_context.haproxy.pod.runAsUser }}
+chown -R $RUNASUSER:$RUNASUSER $(dirname /host{{ .Values.conf.haproxy.host_config_dir }}/haproxy.cfg)
+chmod -R go-rwx $(dirname /host{{ .Values.conf.haproxy.host_config_dir }}/haproxy.cfg)

charts/haproxy/templates/configmap-bin.yaml

@@ -23,3 +23,5 @@ data:
 {{ tuple "bin/_anchor.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   pre_stop.sh: |
 {{ tuple "bin/_pre_stop.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  perms_update.sh: |
+{{ tuple "bin/_perms_update.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}

charts/haproxy/templates/daemonset.yaml

@@ -46,6 +46,23 @@ spec:
           operator: Exists
       terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.haproxy_anchor.timeout }}
       serviceAccountName: haproxy-anchor
+      initContainers:
+        - name: haproxy-perms
+          image: {{ .Values.images.tags.anchor }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ dict "envAll" $envAll "application" "haproxy" "container" "haproxy_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.haproxy_anchor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /tmp/perms_update.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: haproxy-bin
+              mountPath: /tmp/perms_update.sh
+              subPath: perms_update.sh
+              readOnly: false
+            - name: host
+              mountPath: /host
       containers:
         - name: anchor
           image: {{ .Values.images.tags.anchor }}
@@ -66,6 +83,8 @@ spec:
               value: /var/run/secrets/kubernetes.io/serviceaccount/token
             - name: KUBE_URL
               value: {{ .Values.conf.anchor.kubernetes_url | quote }}
+            - name: RUNASUSER
+              value: {{ .Values.pod.security_context.haproxy.pod.runAsUser | quote }}
           command:
             - /tmp/bin/anchor.sh
           lifecycle:
@@ -92,3 +111,5 @@ spec:
         - name: host
           hostPath:
             path: /
+        - name: pod-tmp
+          emptyDir: {}

charts/haproxy/templates/etc/_haproxy.yaml.tpl

@@ -52,6 +52,7 @@ spec:
             cat "$HAPROXY_CONF"
             echo
             cp "$HAPROXY_CONF" "$LIVE_HAPROXY_CONF"
+            chmod 700 $LIVE_HAPROXY_CONF
 
             # NOTE(mark-burnett): sleep for clearer log output
             sleep 1
@@ -97,3 +98,4 @@ spec:
     - name: etc
       hostPath:
         path: {{ .Values.conf.haproxy.host_config_dir }}
+{{ dict "envAll" $envAll "application" "haproxy" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}

charts/haproxy/values.yaml

@@ -86,6 +86,12 @@ pod:
           runAsUser: 0
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
+    haproxy:
+      pod:
+        runAsUser: 65534
+      container:
+        haproxy_perms:
+          runAsUser: 0
   lifecycle:
     upgrades:
       daemonsets:

examples/basic/Genesis.yaml

@@ -44,6 +44,8 @@ data:
       - kubernetes-scheduler=enabled
       - promenade-genesis=enabled
       - ucp-control-plane=enabled
+  haproxy:
+    run_as_user: 65534
   images:
     armada: quay.io/airshipit/armada:master-ubuntu_xenial
     helm:

examples/complete/Genesis.yaml

@@ -30,6 +30,8 @@ data:
       - kubernetes-scheduler=enabled
       - promenade-genesis=enabled
       - ucp-control-plane=enabled
+  haproxy:
+    run_as_user: 65534
   images:
     armada: quay.io/airshipit/armada:master-ubuntu_xenial
     helm:

examples/gate/Genesis.yaml

@@ -44,6 +44,8 @@ data:
       - kubernetes-scheduler=enabled
       - promenade-genesis=enabled
       - ucp-control-plane=enabled
+  haproxy:
+    run_as_user: 65534
   images:
     armada: quay.io/airshipit/armada:master-ubuntu_xenial
     helm:

promenade/schemas/Genesis.yaml

@@ -121,6 +121,13 @@ data:
       items:
         $ref: '#/definitions/file'
 
+    haproxy:
+      type: object
+      properties:
+        run_as_user:
+          type: integer
+      additionalProperties: false
+
     hostname:
       $ref: '#/definitions/hostname'
 

promenade/templates/roles/common/etc/kubernetes/manifests/haproxy.yaml

@@ -37,3 +37,5 @@ spec:
     - name: etc
       hostPath:
         path: /etc/promenade/haproxy
+  securityContext:
+    runAsUser: {{ config.get_path('Genesis:haproxy.run_as_user', '65534') }}