From 5641cc1117dcc65b0fddb17b86d5f9e79391b4d1 Mon Sep 17 00:00:00 2001 From: "BARTRA, RICK" Date: Tue, 7 May 2019 14:32:24 -0400 Subject: [PATCH] maas-ingress and maas-ingress-errors pods with non-root user Run the maas-ingress and maas-ingress-vip containers with the 'www-data' (33) user Run the maas-ingress-errors container with the error-page image [0], from [1] which already runs as nobody user. [0] Dockerfile.404-server-with-metrics [1] https://github.com/kubernetes/ingress-gce Change-Id: Idf3791a958017d512bb3f5015b59452e2831b1b3 --- .../templates/deployment-ingress-errors.yaml | 20 +++---------------- .../templates/deployment-maas-ingress.yaml | 6 ++---- charts/maas/values.yaml | 11 +++++++--- 3 files changed, 13 insertions(+), 24 deletions(-) diff --git a/charts/maas/templates/deployment-ingress-errors.yaml b/charts/maas/templates/deployment-ingress-errors.yaml index a702d0f..205ee40 100644 --- a/charts/maas/templates/deployment-ingress-errors.yaml +++ b/charts/maas/templates/deployment-ingress-errors.yaml @@ -45,21 +45,7 @@ spec: image: {{ .Values.images.tags.error_pages }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_errors | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "ingress_errors" "container" "maas_ingress_errors" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - command: - - /tmp/maas-ingress-errors.sh - - start - env: - - name: BIND_PORT - value: {{ tuple "maas_ingress" "podport" "error_pages" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - volumeMounts: - - mountPath: /tmp/maas-ingress-errors.sh - name: maas-bin - subPath: maas-ingress-errors - readOnly: true - volumes: - - name: maas-bin - configMap: - name: maas-bin - defaultMode: 0555 + args: + - "-port" + - {{ tuple "maas_ingress" "podport" "error_pages" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} {{- end }} diff --git a/charts/maas/templates/deployment-maas-ingress.yaml b/charts/maas/templates/deployment-maas-ingress.yaml index ef657b6..8ba9dcf 100644 --- a/charts/maas/templates/deployment-maas-ingress.yaml +++ b/charts/maas/templates/deployment-maas-ingress.yaml @@ -196,11 +196,10 @@ spec: image: {{ .Values.images.tags.ingress_vip }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_vip | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: +{{ dict "envAll" $envAll "application" "ingress" "container" "maas_ingress_vip" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} capabilities: add: - 'NET_ADMIN' - runAsUser: 0 command: - /bin/init env: @@ -224,11 +223,10 @@ spec: image: {{ .Values.images.tags.ingress }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.maas_ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: +{{ dict "envAll" $envAll "application" "ingress" "container" "maas_ingress" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} capabilities: add: - 'NET_BIND_SERVICE' - runAsUser: 0 command: - /tmp/maas-ingress.sh - start diff --git a/charts/maas/values.yaml b/charts/maas/values.yaml index baaa8ad..e81a165 100644 --- a/charts/maas/values.yaml +++ b/charts/maas/values.yaml @@ -98,7 +98,7 @@ images: dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0 ingress_vip: docker.io/busybox:latest - error_pages: gcr.io/google_containers/defaultbackend:1.0 + error_pages: gcr.io/google_containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0 maas_syslog: quay.io/airshipit/maas-region-controller:latest pull_policy: IfNotPresent local_registry: @@ -284,12 +284,17 @@ pod: syslog: runAsUser: 99 readOnlyRootFilesystem: true + ingress: + container: + maas_ingress: + runAsUser: 33 + maas_ingress_vip: + runAsUser: 33 ingress_errors: pod: - runAsUser: 99 + runAsUser: 65534 container: maas_ingress_errors: - runAsUser: 0 readOnlyRootFilesystem: true affinity: anti: