Run haproxy pod with the nobody user (65534)
To be able to run with the nobody user, an init container is used in the haproxy-anchor pod to change the ownership and permissions of '/host/etc/promenade/haproxy'. Security conext was included in 'etc/kubernetes/manifests/haproxy.yaml' and 'promenade/schemas/Genesis.yaml' schema was updated to included run_as_user property for haproxy pod. Change-Id: Id248face0be43c417284ceb781997634a9c4dd5e
This commit is contained in:
parent
bfd9b79591
commit
19169bb458
|
@ -114,6 +114,7 @@ install_config() {
|
|||
echo HAProxy config file unchanged.
|
||||
fi
|
||||
chmod -R go-rwx $(dirname "$HAPROXY_CONF")
|
||||
chown -R $RUNASUSER:$RUNASUSER $(dirname "$HAPROXY_CONF")
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
#!/bin/sh
|
||||
{{/*
|
||||
Copyright 2019 AT&T Intellectual Property. All other rights reserved.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- $envAll := . }}
|
||||
|
||||
set -x
|
||||
|
||||
RUNASUSER={{ .Values.pod.security_context.haproxy.pod.runAsUser }}
|
||||
chown -R $RUNASUSER:$RUNASUSER $(dirname /host{{ .Values.conf.haproxy.host_config_dir }}/haproxy.cfg)
|
||||
chmod -R go-rwx $(dirname /host{{ .Values.conf.haproxy.host_config_dir }}/haproxy.cfg)
|
|
@ -23,3 +23,5 @@ data:
|
|||
{{ tuple "bin/_anchor.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
pre_stop.sh: |
|
||||
{{ tuple "bin/_pre_stop.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
perms_update.sh: |
|
||||
{{ tuple "bin/_perms_update.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
|
|
|
@ -46,6 +46,23 @@ spec:
|
|||
operator: Exists
|
||||
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.haproxy_anchor.timeout }}
|
||||
serviceAccountName: haproxy-anchor
|
||||
initContainers:
|
||||
- name: haproxy-perms
|
||||
image: {{ .Values.images.tags.anchor }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ dict "envAll" $envAll "application" "haproxy" "container" "haproxy_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.haproxy_anchor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
command:
|
||||
- /tmp/perms_update.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: haproxy-bin
|
||||
mountPath: /tmp/perms_update.sh
|
||||
subPath: perms_update.sh
|
||||
readOnly: false
|
||||
- name: host
|
||||
mountPath: /host
|
||||
containers:
|
||||
- name: anchor
|
||||
image: {{ .Values.images.tags.anchor }}
|
||||
|
@ -66,6 +83,8 @@ spec:
|
|||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
- name: KUBE_URL
|
||||
value: {{ .Values.conf.anchor.kubernetes_url | quote }}
|
||||
- name: RUNASUSER
|
||||
value: {{ .Values.pod.security_context.haproxy.pod.runAsUser | quote }}
|
||||
command:
|
||||
- /tmp/bin/anchor.sh
|
||||
lifecycle:
|
||||
|
@ -92,3 +111,5 @@ spec:
|
|||
- name: host
|
||||
hostPath:
|
||||
path: /
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
|
|
|
@ -52,6 +52,7 @@ spec:
|
|||
cat "$HAPROXY_CONF"
|
||||
echo
|
||||
cp "$HAPROXY_CONF" "$LIVE_HAPROXY_CONF"
|
||||
chmod 700 $LIVE_HAPROXY_CONF
|
||||
|
||||
# NOTE(mark-burnett): sleep for clearer log output
|
||||
sleep 1
|
||||
|
@ -97,3 +98,4 @@ spec:
|
|||
- name: etc
|
||||
hostPath:
|
||||
path: {{ .Values.conf.haproxy.host_config_dir }}
|
||||
{{ dict "envAll" $envAll "application" "haproxy" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
|
||||
|
|
|
@ -86,6 +86,12 @@ pod:
|
|||
runAsUser: 0
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
haproxy:
|
||||
pod:
|
||||
runAsUser: 65534
|
||||
container:
|
||||
haproxy_perms:
|
||||
runAsUser: 0
|
||||
lifecycle:
|
||||
upgrades:
|
||||
daemonsets:
|
||||
|
|
|
@ -44,6 +44,8 @@ data:
|
|||
- kubernetes-scheduler=enabled
|
||||
- promenade-genesis=enabled
|
||||
- ucp-control-plane=enabled
|
||||
haproxy:
|
||||
run_as_user: 65534
|
||||
images:
|
||||
armada: quay.io/airshipit/armada:master-ubuntu_xenial
|
||||
helm:
|
||||
|
|
|
@ -30,6 +30,8 @@ data:
|
|||
- kubernetes-scheduler=enabled
|
||||
- promenade-genesis=enabled
|
||||
- ucp-control-plane=enabled
|
||||
haproxy:
|
||||
run_as_user: 65534
|
||||
images:
|
||||
armada: quay.io/airshipit/armada:master-ubuntu_xenial
|
||||
helm:
|
||||
|
|
|
@ -44,6 +44,8 @@ data:
|
|||
- kubernetes-scheduler=enabled
|
||||
- promenade-genesis=enabled
|
||||
- ucp-control-plane=enabled
|
||||
haproxy:
|
||||
run_as_user: 65534
|
||||
images:
|
||||
armada: quay.io/airshipit/armada:master-ubuntu_xenial
|
||||
helm:
|
||||
|
|
|
@ -121,6 +121,13 @@ data:
|
|||
items:
|
||||
$ref: '#/definitions/file'
|
||||
|
||||
haproxy:
|
||||
type: object
|
||||
properties:
|
||||
run_as_user:
|
||||
type: integer
|
||||
additionalProperties: false
|
||||
|
||||
hostname:
|
||||
$ref: '#/definitions/hostname'
|
||||
|
||||
|
|
|
@ -37,3 +37,5 @@ spec:
|
|||
- name: etc
|
||||
hostPath:
|
||||
path: /etc/promenade/haproxy
|
||||
securityContext:
|
||||
runAsUser: {{ config.get_path('Genesis:haproxy.run_as_user', '65534') }}
|
||||
|
|
Loading…
Reference in New Issue