From 5a57c6d39bf69e64915bc7a3a4fe67e519f9c1f6 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Tue, 22 Oct 2024 09:30:26 +0200 Subject: [PATCH] Run dnsmasq not as privileged user Jira: OSPRH-10853 Signed-off-by: Martin Schuppert --- controllers/network/dnsmasq_controller.go | 12 ++++++++---- pkg/dnsmasq/const.go | 2 ++ pkg/dnsmasq/deployment.go | 20 ++++++++++++++------ pkg/dnsmasq/volumes.go | 6 +++--- tests/functional/dnsmasq_controller_test.go | 4 ++-- 5 files changed, 29 insertions(+), 15 deletions(-) diff --git a/controllers/network/dnsmasq_controller.go b/controllers/network/dnsmasq_controller.go index 0eb71c3d..9d1360ce 100644 --- a/controllers/network/dnsmasq_controller.go +++ b/controllers/network/dnsmasq_controller.go @@ -25,6 +25,7 @@ import ( k8s_errors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/client-go/kubernetes" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/builder" @@ -375,10 +376,13 @@ func (r *DNSMasqReconciler) reconcileNormal(ctx context.Context, instance *netwo Namespace: instance.Namespace, Labels: serviceLabels, Selector: serviceLabels, - Port: service.GenericServicePort{ - Name: dnsmasq.ServiceName, - Port: dnsmasq.DNSPort, - Protocol: corev1.ProtocolUDP, + Ports: []corev1.ServicePort{ + { + Name: dnsmasq.ServiceName, + Protocol: corev1.ProtocolUDP, + Port: dnsmasq.DNSPort, + TargetPort: intstr.IntOrString{Type: intstr.Int, IntVal: dnsmasq.DNSTargetPort}, + }, }, }), 5, diff --git a/pkg/dnsmasq/const.go b/pkg/dnsmasq/const.go index 0d78a574..ef2b1ce3 100644 --- a/pkg/dnsmasq/const.go +++ b/pkg/dnsmasq/const.go @@ -21,4 +21,6 @@ const ( // DNSPort - DNSPort int32 = 53 + // DNSTargetPort - port used the service is listening on in the pod + DNSTargetPort int32 = 5353 ) diff --git a/pkg/dnsmasq/deployment.go b/pkg/dnsmasq/deployment.go index 46cd7f26..78e44cda 100644 --- a/pkg/dnsmasq/deployment.go +++ b/pkg/dnsmasq/deployment.go @@ -30,6 +30,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" ) const ( @@ -45,7 +46,6 @@ func Deployment( annotations map[string]string, cms *corev1.ConfigMapList, ) *appsv1.Deployment { - runAsUser := int64(0) terminationGracePeriodSeconds := int64(10) livenessProbe := &corev1.Probe{ @@ -73,7 +73,7 @@ func Deployment( dnsmasqCmd = append(dnsmasqCmd, "--log-debug") dnsmasqCmd = append(dnsmasqCmd, "--bind-interfaces") dnsmasqCmd = append(dnsmasqCmd, "--listen-address=$(POD_IP)") - dnsmasqCmd = append(dnsmasqCmd, "--port "+strconv.Itoa(int(DNSPort))) + dnsmasqCmd = append(dnsmasqCmd, "--port "+strconv.Itoa(int(DNSTargetPort))) // log to stdout dnsmasqCmd = append(dnsmasqCmd, "--log-facility=-") // dns @@ -94,10 +94,10 @@ func Deployment( // https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ // livenessProbe.TCPSocket = &corev1.TCPSocketAction{ - Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(DNSPort)}, + Port: intstr.IntOrString{Type: intstr.Int, IntVal: DNSTargetPort}, } readinessProbe.TCPSocket = &corev1.TCPSocketAction{ - Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(DNSPort)}, + Port: intstr.IntOrString{Type: intstr.Int, IntVal: DNSTargetPort}, } envVars := map[string]env.Setter{} @@ -129,7 +129,11 @@ func Deployment( Args: initArgs, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsNonRoot: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), VolumeMounts: getVolumeMounts(instance.Name, cms), @@ -142,7 +146,11 @@ func Deployment( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsNonRoot: ptr.To(true), + AllowPrivilegeEscalation: ptr.To(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), VolumeMounts: getVolumeMounts(instance.Name, cms), diff --git a/pkg/dnsmasq/volumes.go b/pkg/dnsmasq/volumes.go index dbd9ded1..b6652318 100644 --- a/pkg/dnsmasq/volumes.go +++ b/pkg/dnsmasq/volumes.go @@ -24,14 +24,14 @@ func getVolumes( name string, cms *corev1.ConfigMapList, ) []corev1.Volume { - var config0640AccessMode int32 = 0640 + var config0644AccessMode int32 = 0644 volumes := []corev1.Volume{ { Name: "config", VolumeSource: corev1.VolumeSource{ ConfigMap: &corev1.ConfigMapVolumeSource{ - DefaultMode: &config0640AccessMode, + DefaultMode: &config0644AccessMode, LocalObjectReference: corev1.LocalObjectReference{ Name: name, }, @@ -45,7 +45,7 @@ func getVolumes( Name: cm.Name, VolumeSource: corev1.VolumeSource{ ConfigMap: &corev1.ConfigMapVolumeSource{ - DefaultMode: &config0640AccessMode, + DefaultMode: &config0644AccessMode, LocalObjectReference: corev1.LocalObjectReference{ Name: cm.Name, }, diff --git a/tests/functional/dnsmasq_controller_test.go b/tests/functional/dnsmasq_controller_test.go index e248353d..3bd905db 100644 --- a/tests/functional/dnsmasq_controller_test.go +++ b/tests/functional/dnsmasq_controller_test.go @@ -184,8 +184,8 @@ var _ = Describe("DNSMasq controller", func() { g.Expect(container.VolumeMounts).To(HaveLen(3)) g.Expect(container.Image).To(Equal(containerImage)) - g.Expect(container.LivenessProbe.TCPSocket.Port.IntVal).To(Equal(int32(53))) - g.Expect(container.ReadinessProbe.TCPSocket.Port.IntVal).To(Equal(int32(53))) + g.Expect(container.LivenessProbe.TCPSocket.Port.IntVal).To(Equal(int32(5353))) + g.Expect(container.ReadinessProbe.TCPSocket.Port.IntVal).To(Equal(int32(5353))) }, timeout, interval).Should(Succeed()) })