Skip to content

Commit

Permalink
Run containers as non-root w/o escalation privs
Browse files Browse the repository at this point in the history
Co-authored-by: Jacob Floyd <[email protected]>
  • Loading branch information
jk464 and cognifloyd committed May 8, 2024
1 parent 80f80b4 commit 6e31f0b
Show file tree
Hide file tree
Showing 6 changed files with 74 additions and 20 deletions.
18 changes: 18 additions & 0 deletions templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -422,3 +422,21 @@ Create the custom env list for each deployment
value: {{ $value | quote }}
{{- end }}
{{- end -}}

{{/*
Define st2web ports
*/}}
{{- define "stackstorm-ha.st2web.http_port" -}}
{{- if ne (default 0 ((($.Values.st2web.securityContext).runAsUser) | int)) 0 -}}
8080
{{- else -}}
80
{{- end -}}
{{- end -}}
{{- define "stackstorm-ha.st2web.https_port" -}}
{{- if ne (default 0 ((($.Values.st2web.securityContext).runAsUser) | int)) 0 -}}
8443
{{- else -}}
443
{{- end -}}
{{- end -}}
14 changes: 10 additions & 4 deletions templates/deployments.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -439,13 +439,15 @@ spec:
securityContext: {{- toYaml . | nindent 10 }}
{{- end }}
ports:
- containerPort: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }}
{{- $https_port := include "stackstorm-ha.st2web.https_port" . }}
{{- $http_port := include "stackstorm-ha.st2web.http_port" . }}
- containerPort: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary $https_port $http_port }}
# Probe to check if app is running. Failure will lead to a pod restart.
livenessProbe:
httpGet:
scheme: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary "HTTPS" "HTTP" }}
path: /
port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }}
port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary $https_port $http_port }}
initialDelaySeconds: 1
# Probe to check if app is ready to serve traffic. Failure will lead to temp stop serving traffic.
# TODO: Failing to add readinessProbe, since st2 requires authorization (401) and we don't have `/healthz` endpoints yet (https://github.com/StackStorm/st2/issues/4020)
Expand Down Expand Up @@ -1644,13 +1646,17 @@ spec:
{{- end }}
volumeMounts:
- name: st2client-config-vol
{{- if eq .Values.st2.system_user.user "root" }}
mountPath: /root/.st2/
{{- else }}
mountPath: /home/{{ .Values.st2.system_user.user }}/.st2/
{{- end }}
# `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338
command:
- 'sh'
- '-ec'
- |
cat <<EOT > /root/.st2/config
cat <<EOT > /home/stanley/.st2/config
{{- tpl .Values.st2client.st2clientConfig . | nindent 12 }}
EOT
containers:
Expand Down Expand Up @@ -1683,7 +1689,7 @@ spec:
{{- end }}
{{- include "stackstorm-ha.overrides-config-mounts" . | nindent 8 }}
- name: st2client-config-vol
mountPath: /root/.st2/
mountPath: /home/stanley/.st2/
- name: st2-ssh-key-vol
mountPath: {{ tpl .Values.st2.system_user.ssh_key_file . | dir | dir }}/.ssh-key-vol/
{{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
Expand Down
18 changes: 9 additions & 9 deletions templates/jobs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -164,13 +164,13 @@ spec:
{{- end }}
volumeMounts:
- name: st2client-config-vol
mountPath: /root/.st2/
mountPath: /home/stanley/.st2/
# `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338
command:
- 'sh'
- '-ec'
- |
cat <<EOT > /root/.st2/config
cat <<EOT > /home/stanley/.st2/config
{{- tpl .Values.jobs.st2clientConfig . | nindent 12 }}
EOT
containers:
Expand All @@ -197,7 +197,7 @@ spec:
{{- end }}
volumeMounts:
- name: st2client-config-vol
mountPath: /root/.st2/
mountPath: /home/stanley/.st2/
- name: st2-apikeys-vol
mountPath: /etc/st2/apikeys.yaml
subPath: apikeys.yaml
Expand Down Expand Up @@ -290,13 +290,13 @@ spec:
{{- end }}
volumeMounts:
- name: st2client-config-vol
mountPath: /root/.st2/
mountPath: /home/stanley/.st2/
# `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338
command:
- 'sh'
- '-ec'
- |
cat <<EOT > /root/.st2/config
cat <<EOT > /home/stanley/.st2/config
{{- tpl .Values.jobs.st2clientConfig . | nindent 12 }}
EOT
containers:
Expand Down Expand Up @@ -325,7 +325,7 @@ spec:
volumeMounts:
{{- include "stackstorm-ha.st2-config-volume-mounts" . | nindent 8 }}
- name: st2client-config-vol
mountPath: /root/.st2/
mountPath: /home/stanley/.st2/
- name: st2-kv-vol
mountPath: /etc/st2/st2kv.yaml
subPath: st2kv.yaml
Expand Down Expand Up @@ -660,13 +660,13 @@ spec:
{{- end }}
volumeMounts:
- name: st2client-config-vol
mountPath: /root/.st2/
mountPath: /home/stanley/.st2/
# `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338
command:
- 'sh'
- '-ec'
- |
cat <<EOT > /root/.st2/config
cat <<EOT > /home/stanley/.st2/config
{{- tpl $.Values.jobs.st2clientConfig $ | nindent 12 }}
EOT
containers:
Expand All @@ -692,7 +692,7 @@ spec:
{{- end }}
volumeMounts:
- name: st2client-config-vol
mountPath: /root/.st2/
mountPath: /home/stanley/.st2/
{{- include "stackstorm-ha.overrides-config-mounts" $ | nindent 8 }}
{{- include "stackstorm-ha.st2-config-volume-mounts" $ | nindent 8 }}
{{- include "stackstorm-ha.packs-volume-mounts-for-register-job" $ | nindent 8 }}
Expand Down
4 changes: 3 additions & 1 deletion templates/services.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -99,8 +99,10 @@ spec:
{{- end }}
{{- end }}
ports:
{{- $https_port := include "stackstorm-ha.st2web.https_port" . }}
{{- $http_port := include "stackstorm-ha.st2web.http_port" . }}
- protocol: TCP
port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }}
port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary $https_port $http_port }}

{{ if .Values.st2chatops.enabled -}}
---
Expand Down
4 changes: 2 additions & 2 deletions tests/unit/ingress_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ tests:
servicePort: 80
- path: /fancy-sensor
serviceName: fancy-sensor
servicePort: 8080
servicePort: {{ template ".stackstorm-ha.st2web.http_port" . }}
tls: []
st2web:
service:
Expand Down Expand Up @@ -105,4 +105,4 @@ tests:
service:
name: fancy-sensor
port:
number: 8080
number: {{ template ".stackstorm-ha.st2web.http_port" . }}
36 changes: 32 additions & 4 deletions values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -300,8 +300,11 @@ st2:
## Default SecurityContext for pods and containers.
## Overrides available for st2web, st2actionrunner, st2sensorcontainer, st2client pods, and custom packs images.
##
podSecurityContext: {}
securityContext: {}
podSecurityContext:
runAsNonRoot: true
securityContext:
runAsUser: 1000
allowPrivilegeEscalation: false

##
## StackStorm HA Ingress
Expand Down Expand Up @@ -377,7 +380,10 @@ st2web:
attach: false
# override the default .podSecurityContext or .securityContext here
podSecurityContext: {}
securityContext: {} # NB: nginx requires some capabilities, drop ALL will cause issues.
securityContext: # NB: nginx requires some capabilities, drop ALL will cause issues.
runAsUser: 999 # run as nginx user
runAsGroup: 999 # run as nginx group
allowPrivilegeEscalation: false
# mount extra volumes on the st2web pod(s) (primarily useful for k8s-provisioned secrets)
## Note that Helm templating is supported in 'mount' and 'volume'
extra_volumes: []
Expand Down Expand Up @@ -1050,6 +1056,15 @@ mongodb:
arbiter:
enabled: false
resources: {}
podSecurityContext:
enabled: true
fsGroup: 1001
sysctls: []
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsNonRoot: true
allowPrivilegeEscalation: false

##
## RabbitMQ configuration (3rd party chart dependency)
Expand Down Expand Up @@ -1097,7 +1112,12 @@ rabbitmq:
# As RabbitMQ enabled prometheus operator monitoring by default, disable it for non-prometheus users
metrics:
enabled: false

podSecurityContext:
fsGroup: 1001
runAsUser: 1001
runAsNonRoot: true
containerSecurityContext:
allowPrivilegeEscalation: false
##
## Redis HA configuration (3rd party chart dependency)
##
Expand Down Expand Up @@ -1133,6 +1153,14 @@ redis:
usePassword: false
metrics:
enabled: false
securityContext:
enabled: true
fsGroup: 1001
runAsNonRoot: true
containerSecurityContext:
enabled: true
runAsUser: 1001
allowPrivilegeEscalation: false

##
## Settings to be applied to all stackstorm-ha pods
Expand Down

0 comments on commit 6e31f0b

Please sign in to comment.