Run haproxy pod with the nobody user (65534)
To be able to run with the nobody user, an init container is used in the haproxy-anchor pod to change the ownership and permissions of '/host/etc/promenade/haproxy'. Security conext was included in 'etc/kubernetes/manifests/haproxy.yaml' and 'promenade/schemas/Genesis.yaml' schema was updated to included run_as_user property for haproxy pod. Change-Id: Id248face0be43c417284ceb781997634a9c4dd5e
This commit is contained in:
parent
bfd9b79591
commit
19169bb458
|
@ -114,6 +114,7 @@ install_config() {
|
||||||
echo HAProxy config file unchanged.
|
echo HAProxy config file unchanged.
|
||||||
fi
|
fi
|
||||||
chmod -R go-rwx $(dirname "$HAPROXY_CONF")
|
chmod -R go-rwx $(dirname "$HAPROXY_CONF")
|
||||||
|
chown -R $RUNASUSER:$RUNASUSER $(dirname "$HAPROXY_CONF")
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
#!/bin/sh
|
||||||
|
{{/*
|
||||||
|
Copyright 2019 AT&T Intellectual Property. All other rights reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- $envAll := . }}
|
||||||
|
|
||||||
|
set -x
|
||||||
|
|
||||||
|
RUNASUSER={{ .Values.pod.security_context.haproxy.pod.runAsUser }}
|
||||||
|
chown -R $RUNASUSER:$RUNASUSER $(dirname /host{{ .Values.conf.haproxy.host_config_dir }}/haproxy.cfg)
|
||||||
|
chmod -R go-rwx $(dirname /host{{ .Values.conf.haproxy.host_config_dir }}/haproxy.cfg)
|
|
@ -23,3 +23,5 @@ data:
|
||||||
{{ tuple "bin/_anchor.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "bin/_anchor.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
pre_stop.sh: |
|
pre_stop.sh: |
|
||||||
{{ tuple "bin/_pre_stop.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "bin/_pre_stop.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
perms_update.sh: |
|
||||||
|
{{ tuple "bin/_perms_update.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
|
|
@ -46,6 +46,23 @@ spec:
|
||||||
operator: Exists
|
operator: Exists
|
||||||
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.haproxy_anchor.timeout }}
|
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.haproxy_anchor.timeout }}
|
||||||
serviceAccountName: haproxy-anchor
|
serviceAccountName: haproxy-anchor
|
||||||
|
initContainers:
|
||||||
|
- name: haproxy-perms
|
||||||
|
image: {{ .Values.images.tags.anchor }}
|
||||||
|
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||||
|
{{ dict "envAll" $envAll "application" "haproxy" "container" "haproxy_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod.resources.haproxy_anchor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
command:
|
||||||
|
- /tmp/perms_update.sh
|
||||||
|
volumeMounts:
|
||||||
|
- name: pod-tmp
|
||||||
|
mountPath: /tmp
|
||||||
|
- name: haproxy-bin
|
||||||
|
mountPath: /tmp/perms_update.sh
|
||||||
|
subPath: perms_update.sh
|
||||||
|
readOnly: false
|
||||||
|
- name: host
|
||||||
|
mountPath: /host
|
||||||
containers:
|
containers:
|
||||||
- name: anchor
|
- name: anchor
|
||||||
image: {{ .Values.images.tags.anchor }}
|
image: {{ .Values.images.tags.anchor }}
|
||||||
|
@ -66,6 +83,8 @@ spec:
|
||||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||||
- name: KUBE_URL
|
- name: KUBE_URL
|
||||||
value: {{ .Values.conf.anchor.kubernetes_url | quote }}
|
value: {{ .Values.conf.anchor.kubernetes_url | quote }}
|
||||||
|
- name: RUNASUSER
|
||||||
|
value: {{ .Values.pod.security_context.haproxy.pod.runAsUser | quote }}
|
||||||
command:
|
command:
|
||||||
- /tmp/bin/anchor.sh
|
- /tmp/bin/anchor.sh
|
||||||
lifecycle:
|
lifecycle:
|
||||||
|
@ -92,3 +111,5 @@ spec:
|
||||||
- name: host
|
- name: host
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /
|
path: /
|
||||||
|
- name: pod-tmp
|
||||||
|
emptyDir: {}
|
||||||
|
|
|
@ -52,6 +52,7 @@ spec:
|
||||||
cat "$HAPROXY_CONF"
|
cat "$HAPROXY_CONF"
|
||||||
echo
|
echo
|
||||||
cp "$HAPROXY_CONF" "$LIVE_HAPROXY_CONF"
|
cp "$HAPROXY_CONF" "$LIVE_HAPROXY_CONF"
|
||||||
|
chmod 700 $LIVE_HAPROXY_CONF
|
||||||
|
|
||||||
# NOTE(mark-burnett): sleep for clearer log output
|
# NOTE(mark-burnett): sleep for clearer log output
|
||||||
sleep 1
|
sleep 1
|
||||||
|
@ -97,3 +98,4 @@ spec:
|
||||||
- name: etc
|
- name: etc
|
||||||
hostPath:
|
hostPath:
|
||||||
path: {{ .Values.conf.haproxy.host_config_dir }}
|
path: {{ .Values.conf.haproxy.host_config_dir }}
|
||||||
|
{{ dict "envAll" $envAll "application" "haproxy" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
|
||||||
|
|
|
@ -86,6 +86,12 @@ pod:
|
||||||
runAsUser: 0
|
runAsUser: 0
|
||||||
allowPrivilegeEscalation: false
|
allowPrivilegeEscalation: false
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
|
haproxy:
|
||||||
|
pod:
|
||||||
|
runAsUser: 65534
|
||||||
|
container:
|
||||||
|
haproxy_perms:
|
||||||
|
runAsUser: 0
|
||||||
lifecycle:
|
lifecycle:
|
||||||
upgrades:
|
upgrades:
|
||||||
daemonsets:
|
daemonsets:
|
||||||
|
|
|
@ -44,6 +44,8 @@ data:
|
||||||
- kubernetes-scheduler=enabled
|
- kubernetes-scheduler=enabled
|
||||||
- promenade-genesis=enabled
|
- promenade-genesis=enabled
|
||||||
- ucp-control-plane=enabled
|
- ucp-control-plane=enabled
|
||||||
|
haproxy:
|
||||||
|
run_as_user: 65534
|
||||||
images:
|
images:
|
||||||
armada: quay.io/airshipit/armada:master-ubuntu_xenial
|
armada: quay.io/airshipit/armada:master-ubuntu_xenial
|
||||||
helm:
|
helm:
|
||||||
|
|
|
@ -30,6 +30,8 @@ data:
|
||||||
- kubernetes-scheduler=enabled
|
- kubernetes-scheduler=enabled
|
||||||
- promenade-genesis=enabled
|
- promenade-genesis=enabled
|
||||||
- ucp-control-plane=enabled
|
- ucp-control-plane=enabled
|
||||||
|
haproxy:
|
||||||
|
run_as_user: 65534
|
||||||
images:
|
images:
|
||||||
armada: quay.io/airshipit/armada:master-ubuntu_xenial
|
armada: quay.io/airshipit/armada:master-ubuntu_xenial
|
||||||
helm:
|
helm:
|
||||||
|
|
|
@ -44,6 +44,8 @@ data:
|
||||||
- kubernetes-scheduler=enabled
|
- kubernetes-scheduler=enabled
|
||||||
- promenade-genesis=enabled
|
- promenade-genesis=enabled
|
||||||
- ucp-control-plane=enabled
|
- ucp-control-plane=enabled
|
||||||
|
haproxy:
|
||||||
|
run_as_user: 65534
|
||||||
images:
|
images:
|
||||||
armada: quay.io/airshipit/armada:master-ubuntu_xenial
|
armada: quay.io/airshipit/armada:master-ubuntu_xenial
|
||||||
helm:
|
helm:
|
||||||
|
|
|
@ -121,6 +121,13 @@ data:
|
||||||
items:
|
items:
|
||||||
$ref: '#/definitions/file'
|
$ref: '#/definitions/file'
|
||||||
|
|
||||||
|
haproxy:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
run_as_user:
|
||||||
|
type: integer
|
||||||
|
additionalProperties: false
|
||||||
|
|
||||||
hostname:
|
hostname:
|
||||||
$ref: '#/definitions/hostname'
|
$ref: '#/definitions/hostname'
|
||||||
|
|
||||||
|
|
|
@ -37,3 +37,5 @@ spec:
|
||||||
- name: etc
|
- name: etc
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /etc/promenade/haproxy
|
path: /etc/promenade/haproxy
|
||||||
|
securityContext:
|
||||||
|
runAsUser: {{ config.get_path('Genesis:haproxy.run_as_user', '65534') }}
|
||||||
|
|
Loading…
Reference in New Issue