Merge pull request #293 from stuggi/dns_not_as_root

Run dnsmasq not as privileged user
openstack-k8s-operators · Oct 23, 2024 · 1aded24 · 1aded24
2 parents 58f5b2c + 5a57c6d
commit 1aded24
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 15 deletions.
diff --git a/controllers/network/dnsmasq_controller.go b/controllers/network/dnsmasq_controller.go
@@ -25,6 +25,7 @@ import (
 
 	k8s_errors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/kubernetes"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -375,10 +376,13 @@ func (r *DNSMasqReconciler) reconcileNormal(ctx context.Context, instance *netwo
 			Namespace: instance.Namespace,
 			Labels:    serviceLabels,
 			Selector:  serviceLabels,
-			Port: service.GenericServicePort{
-				Name:     dnsmasq.ServiceName,
-				Port:     dnsmasq.DNSPort,
-				Protocol: corev1.ProtocolUDP,
+			Ports: []corev1.ServicePort{
+				{
+					Name:       dnsmasq.ServiceName,
+					Protocol:   corev1.ProtocolUDP,
+					Port:       dnsmasq.DNSPort,
+					TargetPort: intstr.IntOrString{Type: intstr.Int, IntVal: dnsmasq.DNSTargetPort},
+				},
 			},
 		}),
 		5,

diff --git a/pkg/dnsmasq/const.go b/pkg/dnsmasq/const.go
@@ -21,4 +21,6 @@ const (
 
 	// DNSPort -
 	DNSPort int32 = 53
+	// DNSTargetPort - port used the service is listening on in the pod
+	DNSTargetPort int32 = 5353
 )
diff --git a/pkg/dnsmasq/deployment.go b/pkg/dnsmasq/deployment.go
@@ -30,6 +30,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
 )
 
 const (
@@ -45,7 +46,6 @@ func Deployment(
 	annotations map[string]string,
 	cms *corev1.ConfigMapList,
 ) *appsv1.Deployment {
-	runAsUser := int64(0)
 	terminationGracePeriodSeconds := int64(10)
 
 	livenessProbe := &corev1.Probe{
@@ -73,7 +73,7 @@ func Deployment(
 	dnsmasqCmd = append(dnsmasqCmd, "--log-debug")
 	dnsmasqCmd = append(dnsmasqCmd, "--bind-interfaces")
 	dnsmasqCmd = append(dnsmasqCmd, "--listen-address=$(POD_IP)")
-	dnsmasqCmd = append(dnsmasqCmd, "--port "+strconv.Itoa(int(DNSPort)))
+	dnsmasqCmd = append(dnsmasqCmd, "--port "+strconv.Itoa(int(DNSTargetPort)))
 	// log to stdout
 	dnsmasqCmd = append(dnsmasqCmd, "--log-facility=-")
 	// dns
@@ -94,10 +94,10 @@ func Deployment(
 	// https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
 	//
 	livenessProbe.TCPSocket = &corev1.TCPSocketAction{
-		Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(DNSPort)},
+		Port: intstr.IntOrString{Type: intstr.Int, IntVal: DNSTargetPort},
 	}
 	readinessProbe.TCPSocket = &corev1.TCPSocketAction{
-		Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(DNSPort)},
+		Port: intstr.IntOrString{Type: intstr.Int, IntVal: DNSTargetPort},
 	}
 
 	envVars := map[string]env.Setter{}
@@ -129,7 +129,11 @@ func Deployment(
 							Args:    initArgs,
 							Image:   instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsNonRoot:             ptr.To(true),
+								AllowPrivilegeEscalation: ptr.To(false),
+								SeccompProfile: &corev1.SeccompProfile{
+									Type: corev1.SeccompProfileTypeRuntimeDefault,
+								},
 							},
 							Env:          env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts: getVolumeMounts(instance.Name, cms),
@@ -142,7 +146,11 @@ func Deployment(
 							Args:    args,
 							Image:   instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsNonRoot:             ptr.To(true),
+								AllowPrivilegeEscalation: ptr.To(false),
+								SeccompProfile: &corev1.SeccompProfile{
+									Type: corev1.SeccompProfileTypeRuntimeDefault,
+								},
 							},
 							Env:            env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts:   getVolumeMounts(instance.Name, cms),

diff --git a/pkg/dnsmasq/volumes.go b/pkg/dnsmasq/volumes.go
@@ -24,14 +24,14 @@ func getVolumes(
 	name string,
 	cms *corev1.ConfigMapList,
 ) []corev1.Volume {
-	var config0640AccessMode int32 = 0640
+	var config0644AccessMode int32 = 0644
 
 	volumes := []corev1.Volume{
 		{
 			Name: "config",
 			VolumeSource: corev1.VolumeSource{
 				ConfigMap: &corev1.ConfigMapVolumeSource{
-					DefaultMode: &config0640AccessMode,
+					DefaultMode: &config0644AccessMode,
 					LocalObjectReference: corev1.LocalObjectReference{
 						Name: name,
 					},
@@ -45,7 +45,7 @@ func getVolumes(
 			Name: cm.Name,
 			VolumeSource: corev1.VolumeSource{
 				ConfigMap: &corev1.ConfigMapVolumeSource{
-					DefaultMode: &config0640AccessMode,
+					DefaultMode: &config0644AccessMode,
 					LocalObjectReference: corev1.LocalObjectReference{
 						Name: cm.Name,
 					},

diff --git a/tests/functional/dnsmasq_controller_test.go b/tests/functional/dnsmasq_controller_test.go
@@ -184,8 +184,8 @@ var _ = Describe("DNSMasq controller", func() {
 				g.Expect(container.VolumeMounts).To(HaveLen(3))
 				g.Expect(container.Image).To(Equal(containerImage))
 
-				g.Expect(container.LivenessProbe.TCPSocket.Port.IntVal).To(Equal(int32(53)))
-				g.Expect(container.ReadinessProbe.TCPSocket.Port.IntVal).To(Equal(int32(53)))
+				g.Expect(container.LivenessProbe.TCPSocket.Port.IntVal).To(Equal(int32(5353)))
+				g.Expect(container.ReadinessProbe.TCPSocket.Port.IntVal).To(Equal(int32(5353)))
 			}, timeout, interval).Should(Succeed())
 		})