Skip to content

Commit

Permalink
Merge pull request #1239 from Nordix/tuomo/revert-nonroot-bmo-pr
Browse files Browse the repository at this point in the history
🐛 Revert "run BMO deployment as non-root"
  • Loading branch information
metal3-io-bot authored Mar 24, 2023
2 parents c496eac + 15991fc commit 6a798be
Show file tree
Hide file tree
Showing 5 changed files with 142 additions and 236 deletions.
314 changes: 129 additions & 185 deletions ironic-deployment/base/ironic.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,190 +19,134 @@ spec:
spec:
hostNetwork: true
containers:
- name: ironic-dnsmasq
image: quay.io/metal3-io/ironic
imagePullPolicy: Always
securityContext:
# Must be false so dnsmasq may get the capabilities via file caps
# KEP: https://github.com/kubernetes/enhancements/blob/master/keps/sig-security/2763-ambient-capabilities/README.md
# allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
add:
- NET_ADMIN
- NET_BIND_SERVICE
- NET_RAW
privileged: false
runAsUser: 997 # ironic
runAsGroup: 994 # ironic
command:
- /bin/rundnsmasq
livenessProbe:
exec:
command: ["sh", "-c", "ss -lun | grep :67 && ss -lun | grep :69"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 10
readinessProbe:
exec:
command: ["sh", "-c", "ss -lun | grep :67 && ss -lun | grep :69"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 10
volumeMounts:
- mountPath: /shared
name: ironic-data-volume
envFrom:
- configMapRef:
name: ironic-bmo-configmap
- name: ironic
image: quay.io/metal3-io/ironic
imagePullPolicy: Always
command:
- /bin/runironic
livenessProbe:
exec:
command: ["sh", "-c", "curl -sSf http://127.0.0.1:6385 || curl -sSfk https://127.0.0.1:6385"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 10
readinessProbe:
exec:
command: ["sh", "-c", "curl -sSf http://127.0.0.1:6385 || curl -sSfk https://127.0.0.1:6385"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 10
volumeMounts:
- mountPath: /shared
name: ironic-data-volume
envFrom:
- configMapRef:
name: ironic-bmo-configmap
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsUser: 997 # ironic
runAsGroup: 994 # ironic
- name: ironic-log-watch
image: quay.io/metal3-io/ironic
imagePullPolicy: Always
command:
- /bin/runlogwatch.sh
volumeMounts:
- mountPath: /shared
name: ironic-data-volume
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsUser: 997 # ironic
runAsGroup: 994 # ironic
- name: ironic-inspector
image: quay.io/metal3-io/ironic
imagePullPolicy: Always
readinessProbe:
exec:
command: ["sh", "-c", "curl -sSf http://127.0.0.1:5050 || curl -sSf -k https://127.0.0.1:5050"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 10
livenessProbe:
exec:
command: ["sh", "-c", "curl -sSf http://127.0.0.1:5050 || curl -sSf -k https://127.0.0.1:5050"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 10
command:
- /bin/runironic-inspector
envFrom:
- configMapRef:
name: ironic-bmo-configmap
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsUser: 996 # ironic-inspector
runAsGroup: 993 # ironicinspector
- name: ironic-httpd
image: quay.io/metal3-io/ironic
imagePullPolicy: Always
command:
- /bin/runhttpd
livenessProbe:
exec:
command: ["sh", "-c", "curl -sSfk http://127.0.0.1:6180/images"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 10
readinessProbe:
exec:
command: ["sh", "-c", "curl -sSfk http://127.0.0.1:6180/images"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 10
volumeMounts:
- mountPath: /shared
name: ironic-data-volume
envFrom:
- configMapRef:
name: ironic-bmo-configmap
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsUser: 997 # ironic
runAsGroup: 994 # ironic
- name: ironic-dnsmasq
image: quay.io/metal3-io/ironic
imagePullPolicy: Always
securityContext:
capabilities:
add: ["NET_ADMIN", "NET_RAW"]
command:
- /bin/rundnsmasq
livenessProbe:
exec:
command: ["sh", "-c", "ss -lun | grep :67 && ss -lun | grep :69"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 10
readinessProbe:
exec:
command: ["sh", "-c", "ss -lun | grep :67 && ss -lun | grep :69"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 10
volumeMounts:
- mountPath: /shared
name: ironic-data-volume
envFrom:
- configMapRef:
name: ironic-bmo-configmap
- name: ironic
image: quay.io/metal3-io/ironic
imagePullPolicy: Always
command:
- /bin/runironic
livenessProbe:
exec:
command: ["sh", "-c", "curl -sSf http://127.0.0.1:6385 || curl -sSfk https://127.0.0.1:6385"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 10
readinessProbe:
exec:
command: ["sh", "-c", "curl -sSf http://127.0.0.1:6385 || curl -sSfk https://127.0.0.1:6385"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 10
volumeMounts:
- mountPath: /shared
name: ironic-data-volume
envFrom:
- configMapRef:
name: ironic-bmo-configmap
- name: ironic-log-watch
image: quay.io/metal3-io/ironic
imagePullPolicy: Always
command:
- /bin/runlogwatch.sh
volumeMounts:
- mountPath: /shared
name: ironic-data-volume
- name: ironic-inspector
image: quay.io/metal3-io/ironic
imagePullPolicy: Always
readinessProbe:
exec:
command: ["sh", "-c", "curl -sSf http://127.0.0.1:5050 || curl -sSf -k https://127.0.0.1:5050"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 10
livenessProbe:
exec:
command: ["sh", "-c", "curl -sSf http://127.0.0.1:5050 || curl -sSf -k https://127.0.0.1:5050"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 10
command:
- /bin/runironic-inspector
envFrom:
- configMapRef:
name: ironic-bmo-configmap
- name: ironic-httpd
image: quay.io/metal3-io/ironic
imagePullPolicy: Always
command:
- /bin/runhttpd
livenessProbe:
exec:
command: ["sh", "-c", "curl -sSfk http://127.0.0.1:6180/images"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 10
readinessProbe:
exec:
command: ["sh", "-c", "curl -sSfk http://127.0.0.1:6180/images"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 10
volumeMounts:
- mountPath: /shared
name: ironic-data-volume
envFrom:
- configMapRef:
name: ironic-bmo-configmap
initContainers:
- name: ironic-ipa-downloader
image: quay.io/metal3-io/ironic-ipa-downloader
imagePullPolicy: Always
command:
- /usr/local/bin/get-resource.sh
envFrom:
- configMapRef:
name: ironic-bmo-configmap
volumeMounts:
- mountPath: /shared
name: ironic-data-volume
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsUser: 997 # ironic
runAsGroup: 994 # ironic
- name: ironic-ipa-downloader
image: quay.io/metal3-io/ironic-ipa-downloader
imagePullPolicy: Always
command:
- /usr/local/bin/get-resource.sh
envFrom:
- configMapRef:
name: ironic-bmo-configmap
volumeMounts:
- mountPath: /shared
name: ironic-data-volume
volumes:
- name: ironic-data-volume
emptyDir: {}
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
fsGroup: 994
- name: ironic-data-volume
emptyDir: {}
19 changes: 4 additions & 15 deletions ironic-deployment/components/keepalived/keepalived_patch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,19 +10,8 @@ spec:
- image: quay.io/metal3-io/keepalived
name: ironic-endpoint-keepalived
securityContext:
# Must be false so dnsmasq may get the capabilities via file caps
# KEP: https://github.com/kubernetes/enhancements/blob/master/keps/sig-security/2763-ambient-capabilities/README.md
# allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
add:
- NET_ADMIN
- NET_BROADCAST
- NET_RAW
privileged: false
runAsUser: 65532
runAsGroup: 65532
capabilities:
add: ["NET_ADMIN", "NET_RAW"]
envFrom:
- configMapRef:
name: ironic-bmo-configmap
- configMapRef:
name: ironic-bmo-configmap
12 changes: 4 additions & 8 deletions resources/keepalived-docker/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,11 @@ ARG BASE_IMAGE=ubuntu:22.04
FROM $BASE_IMAGE
ARG DEBIAN_FRONTEND=noninteractive

RUN apt-get -y update && \
apt-get -y install keepalived && \
apt-get -y clean

COPY sample.keepalived.conf /etc/keepalived/keepalived.conf
COPY manage-keepalived.sh manage-keepalived.sh
COPY configure-nonroot.sh /

RUN /configure-nonroot.sh && \
rm /configure-nonroot.sh
RUN apt-get -y update && \
apt-get -y install keepalived && \
apt-get -y clean

CMD ["/bin/bash", "manage-keepalived.sh"]
ENTRYPOINT ["/bin/bash", "manage-keepalived.sh"]
20 changes: 0 additions & 20 deletions resources/keepalived-docker/configure-nonroot.sh

This file was deleted.

Loading

0 comments on commit 6a798be

Please sign in to comment.