openstack/openstack-helm-infra
Code Issues Proposed changes

Run mon container as ceph user

Browse Source 
This PS is to address security best practices concerning running
containers as a non-privileged user and disallowing privilege
escalation.

Change-Id: If4c0e9fe446091ba75d1a9818ffd3a0933285af4
This commit is contained in:
Ritchie, Frank (fr801x) 2021-01-20 15:43:41 -05:00 committed by Frank Ritchie
parent 6cf614d7a8
commit 75a115ea29
3 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ceph-mon/Chart.yaml
View File

@ -15,6 +15,6 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm Ceph Mon description: OpenStack-Helm Ceph Mon
name: ceph-mon name: ceph-mon
version: 0.1.2 version: 0.1.3
home: https://github.com/ceph/ceph home: https://github.com/ceph/ceph
... ...

2
ceph-mon/templates/bin/mon/_start.sh.tpl
View File

@ -42,7 +42,7 @@ MON_DATA_DIR="/var/lib/ceph/mon/${CLUSTER}-${MON_NAME}"
MONMAP="/etc/ceph/monmap-${CLUSTER}" MONMAP="/etc/ceph/monmap-${CLUSTER}"
# Make the monitor directory # Make the monitor directory
su -s /bin/sh -c "mkdir -p \"${MON_DATA_DIR}\"" ceph /bin/sh -c "mkdir -p \"${MON_DATA_DIR}\""
function get_mon_config { function get_mon_config {
# Get fsid from ceph.conf # Get fsid from ceph.conf

3
ceph-mon/values.yaml
View File

@ -56,8 +56,9 @@ pod:
runAsUser: 0 runAsUser: 0
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
ceph_mon: ceph_mon:
runAsUser: 0 runAsUser: 64045
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
moncheck: moncheck:
pod: pod:
runAsUser: 65534 runAsUser: 65534