From 36436618cec6f7a1e548f45216356fa3a68f4f03 Mon Sep 17 00:00:00 2001 From: Francesco Pantano Date: Tue, 20 Aug 2024 14:28:28 +0200 Subject: [PATCH] Run GlanceAPI with GlanceUID user When the backend is not Cinder (Cinder still has to be fully tested), GlanceAPI can reduce the permissions required for glance-api container, and run as GlanceUID/GlanceGID. This patch introduces scc for both glanceAPI and Httpd. Signed-off-by: Francesco Pantano --- pkg/glance/funcs.go | 31 ++++++++++++++-- pkg/glanceapi/statefulset.go | 36 +++++++++---------- .../glanceapi/config/glance-api-config.json | 11 ++++-- 3 files changed, 53 insertions(+), 25 deletions(-) diff --git a/pkg/glance/funcs.go b/pkg/glance/funcs.go index b20198ba..3c66b7f5 100644 --- a/pkg/glance/funcs.go +++ b/pkg/glance/funcs.go @@ -41,10 +41,14 @@ func dbSyncSecurityContext() *corev1.SecurityContext { // Pods as root user, and we drop privileges and Capabilities we don't need func BaseSecurityContext() *corev1.SecurityContext { falseVal := true + trueVal := true runAsUser := int64(GlanceUID) + runAsGroup := int64(GlanceGID) return &corev1.SecurityContext{ RunAsUser: &runAsUser, + RunAsGroup: &runAsGroup, + RunAsNonRoot: &trueVal, AllowPrivilegeEscalation: &falseVal, Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{ @@ -57,11 +61,34 @@ func BaseSecurityContext() *corev1.SecurityContext { } } +// APISecurityContext - +func APISecurityContext(userID int64, privileged bool) *corev1.SecurityContext { + runAsUser := int64(userID) + trueVal := true + return &corev1.SecurityContext{ + AllowPrivilegeEscalation: &trueVal, + RunAsUser: &runAsUser, + Privileged: &privileged, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + } +} + // HttpdSecurityContext - func HttpdSecurityContext() *corev1.SecurityContext { - - runAsUser := int64(GlanceUID) + runAsUser := int64(0) + falseVal := false return &corev1.SecurityContext{ + AllowPrivilegeEscalation: &falseVal, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "ALL", + }, + }, RunAsUser: &runAsUser, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, } } diff --git a/pkg/glanceapi/statefulset.go b/pkg/glanceapi/statefulset.go index 18908116..2147343b 100644 --- a/pkg/glanceapi/statefulset.go +++ b/pkg/glanceapi/statefulset.go @@ -39,7 +39,7 @@ import ( const ( // GlanceAPIServiceCommand - - GlanceAPIServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start" + GlanceAPIServiceCommand = "/usr/local/bin/kolla_start" // GlanceAPIHttpdCommand - GlanceAPIHttpdCommand = "/usr/sbin/httpd -DFOREGROUND" ) @@ -52,10 +52,11 @@ func StatefulSet( annotations map[string]string, privileged bool, ) (*appsv1.StatefulSet, error) { - runAsUser := int64(0) - + userID := glance.GlanceUID + if privileged { + userID = int64(0) + } var config0644AccessMode int32 = 0644 - startupProbe := &corev1.Probe{ FailureThreshold: 6, PeriodSeconds: 10, @@ -257,16 +258,14 @@ func StatefulSet( "-c", string(GlanceAPIHttpdCommand), }, - Image: instance.Spec.ContainerImage, - SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, - }, - Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), - VolumeMounts: httpdVolumeMount, - Resources: instance.Spec.Resources, - StartupProbe: startupProbe, - ReadinessProbe: readinessProbe, - LivenessProbe: livenessProbe, + Image: instance.Spec.ContainerImage, + SecurityContext: glance.HttpdSecurityContext(), + Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), + VolumeMounts: httpdVolumeMount, + Resources: instance.Spec.Resources, + StartupProbe: startupProbe, + ReadinessProbe: readinessProbe, + LivenessProbe: livenessProbe, }, { Name: glance.ServiceName + "-api", @@ -280,12 +279,9 @@ func StatefulSet( "-c", string(GlanceAPIServiceCommand), }, - Image: instance.Spec.ContainerImage, - SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, - Privileged: &privileged, - }, - Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), + Image: instance.Spec.ContainerImage, + SecurityContext: glance.APISecurityContext(userID, privileged), + Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), VolumeMounts: append(glance.GetVolumeMounts( instance.Spec.CustomServiceConfigSecrets, privileged, diff --git a/templates/glanceapi/config/glance-api-config.json b/templates/glanceapi/config/glance-api-config.json index 9b6bd608..fc9f1a22 100644 --- a/templates/glanceapi/config/glance-api-config.json +++ b/templates/glanceapi/config/glance-api-config.json @@ -4,20 +4,20 @@ { "source": "/var/lib/config-data/default/00-config.conf", "dest": "/etc/glance/glance.conf.d/00-config.conf", - "owner": "glance", + "owner": "glance:glance", "perm": "0600" }, { "source": "/var/lib/config-data/default/02-config.conf", "dest": "/etc/glance/glance.conf.d/02-config.conf", - "owner": "glance", + "owner": "glance:glance", "perm": "0600", "optional": true }, { "source": "/var/lib/config-data/default/03-config.conf", "dest": "/etc/glance/glance.conf.d/03-config.conf", - "owner": "glance", + "owner": "glance:glance", "perm": "0640", "optional": true }, @@ -84,6 +84,11 @@ "path": "/var/log/glance", "owner": "glance:glance", "recurse": true + }, + { + "path": "/etc/glance/glance.conf.d", + "owner": "glance:glance", + "recurse": true } ] }