From 7857fdf2cffebfec089a31de6020a09267ba9908 Mon Sep 17 00:00:00 2001
From: Rick Bartra <rb560u@att.com>
Date: Thu, 31 Jan 2019 21:05:23 +0000
Subject: [PATCH] Run maas-rack and maas-region containers as non-privileged

The maas-rack and maas-region containers can successfully run and function
as non-privileged if given the appropriate Linux capabilities. This change
is a security enhancement as the maas-rack and maas-region containers now only
have access to the capabiities it needs to do its job - instead of having full
root access.

The capabilities listed in the `statefulset-rack` and `statefulset-region`
charts function as a whitelist in that the maas-rack and maas-region containers
only have access to the Linux capabilities listed in their SecurityContext
along with the default capabilties that Docker gives to unprivileged containers.
The default list of capabilties include the following:
  - SETPCAP
  - MKNOD
  - AUDIT_WRITE
  - CHOWN
  - NET_RAW
  - DAC_OVERRIDE
  - FOWNER
  - FSETID
  - KILL
  - SETGID
  - SETUID
  - NET_BIND_SERVICE
  - SYS_CHROOT
  - SETFCAP

The bcc-capable tool [0] was used to discover which Linux capabilities the
maas-rack and maas-region containers invoke. The capabale tool, has the ability
to record the Linux capabiltiies that are invoked by all the processes running
in the container. While still running as privileged, the capable tool was
installed and ran within the container during maas bootstrapping. When
bootstrapping was complete, the list of Linux capabilities were reviewed and
added to the appropriate charts.

[0]https://github.com/iovisor/bcc/blob/master/tools/capable.py

Change-Id: I11cf1da8ea8219320c4d3028502c133391116201
---
 charts/maas/templates/statefulset-rack.yaml   | 9 ++++++++-
 charts/maas/templates/statefulset-region.yaml | 9 ++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/charts/maas/templates/statefulset-rack.yaml b/charts/maas/templates/statefulset-rack.yaml
index 1c99ffc..60d0920 100644
--- a/charts/maas/templates/statefulset-rack.yaml
+++ b/charts/maas/templates/statefulset-rack.yaml
@@ -75,7 +75,14 @@ spec:
           command:
             - /tmp/start.sh
           securityContext:
-            privileged: true
+            capabilities:
+              add:
+                - 'DAC_READ_SEARCH'
+                - 'NET_ADMIN'
+                - 'SYS_ADMIN'
+                - 'SYS_PTRACE'
+                - 'SYS_RESOURCE'
+                - 'SYS_TIME'
           readinessProbe:
             initialDelaySeconds: 60
             periodSeconds: 300
diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml
index a165118..9aafd17 100644
--- a/charts/maas/templates/statefulset-region.yaml
+++ b/charts/maas/templates/statefulset-region.yaml
@@ -65,7 +65,14 @@ spec:
             tcpSocket:
               port: {{ tuple "maas_region" "podport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           securityContext:
-            privileged: true
+            capabilities:
+              add:
+                - 'SYS_ADMIN'
+                - 'NET_ADMIN'
+                - 'SYS_PTRACE'
+                - 'SYS_TIME'
+                - 'SYS_RESOURCE'
+                - 'DAC_READ_SEARCH'
           command:
             - /tmp/start.sh
           volumeMounts: