Do not run nova services as root

Implements: https://issues.redhat.com/browse/OSPRH-1374
openstack-k8s-operators · Nov 20, 2023 · e8666bd · e8666bd
1 parent 6cb8656
commit e8666bd
Show file tree

Hide file tree

Showing 10 changed files with 23 additions and 29 deletions.
diff --git a/pkg/nova/cellmapping.go b/pkg/nova/cellmapping.go
@@ -4,6 +4,7 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 
 	common "github.com/openstack-k8s-operators/lib-common/modules/common"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
@@ -22,8 +23,6 @@ func CellMappingJob(
 	inputHash string,
 	labels map[string]string,
 ) *batchv1.Job {
-	runAsUser := int64(0)
-
 	args := []string{"-c"}
 	if cell.Spec.Debug.StopJob {
 		args = append(args, common.DebugCommand)
@@ -69,7 +68,7 @@ func CellMappingJob(
 							Args:  args,
 							Image: cell.Spec.ConductorServiceTemplate.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser: ptr.To(NovaUserID),
 							},
 							Env: env,
 							VolumeMounts: []corev1.VolumeMount{

diff --git a/pkg/nova/common.go b/pkg/nova/common.go
@@ -30,6 +30,9 @@ const (
 	// NovaCell0DatabaseName - the name of the DB to store the cell schema for
 	// cell0
 	NovaCell0DatabaseName = "nova_cell0"
+	// NovaUserID is the linux user ID used by Kolla for the nova user
+	// in the service containers
+	NovaUserID int64 = 42436
 )
 
 // GetScriptSecretName returns the name of the Secret used for the

diff --git a/pkg/nova/host_discovery.go b/pkg/nova/host_discovery.go
@@ -22,6 +22,7 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 const (
@@ -35,8 +36,6 @@ func HostDiscoveryJob(
 	inputHash string,
 	labels map[string]string,
 ) *batchv1.Job {
-	runAsUser := int64(0)
-
 	args := []string{"-c"}
 	if instance.Spec.Debug.StopJob {
 		args = append(args, common.DebugCommand)
@@ -81,7 +80,7 @@ func HostDiscoveryJob(
 							Args:  args,
 							Image: instance.Spec.ConductorServiceTemplate.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser: ptr.To(NovaUserID),
 							},
 							Env: env,
 							VolumeMounts: []corev1.VolumeMount{

diff --git a/pkg/novaapi/deployment.go b/pkg/novaapi/deployment.go
@@ -27,6 +27,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
 )
 
 // StatefulSet - returns the StatefulSet definition for the nova-api service
@@ -36,8 +37,6 @@ func StatefulSet(
 	labels map[string]string,
 	annotations map[string]string,
 ) *appsv1.StatefulSet {
-	runAsUser := int64(0)
-
 	// This allows the pod to start up slowly. The pod will only be killed
 	// if it does not succeed a probe in 60 seconds.
 	startupProbe := &corev1.Probe{
@@ -135,7 +134,7 @@ func StatefulSet(
 							Args:  []string{"-c", "tail -n+1 -F /var/log/nova/nova-api.log"},
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser: ptr.To(nova.NovaUserID),
 							},
 							Env:            env,
 							VolumeMounts:   []corev1.VolumeMount{nova.GetLogVolumeMount()},
@@ -152,7 +151,7 @@ func StatefulSet(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser: ptr.To(nova.NovaUserID),
 							},
 							Env: env,
 							VolumeMounts: []corev1.VolumeMount{

diff --git a/pkg/novacompute/deployment.go b/pkg/novacompute/deployment.go
@@ -26,6 +26,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 // StatefulSet - returns the StatefulSet definition for the nova-compute service
@@ -35,8 +36,6 @@ func StatefulSet(
 	labels map[string]string,
 	annotations map[string]string,
 ) *appsv1.StatefulSet {
-	runAsUser := int64(0)
-
 	// After the first successful startupProbe, livenessProbe takes over
 	livenessProbe := &corev1.Probe{
 		// TODO might need tuning
@@ -122,7 +121,7 @@ func StatefulSet(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser: ptr.To(nova.NovaUserID),
 							},
 							Env: env,
 							VolumeMounts: []corev1.VolumeMount{

diff --git a/pkg/novaconductor/dbsync.go b/pkg/novaconductor/dbsync.go
@@ -26,6 +26,7 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 const (
@@ -39,8 +40,6 @@ func CellDBSyncJob(
 	labels map[string]string,
 	annotations map[string]string,
 ) *batchv1.Job {
-	runAsUser := int64(0)
-
 	args := []string{"-c"}
 	if instance.Spec.Debug.StopJob {
 		args = append(args, common.DebugCommand)
@@ -81,7 +80,7 @@ func CellDBSyncJob(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser: ptr.To(nova.NovaUserID),
 							},
 							Env: env,
 							VolumeMounts: []corev1.VolumeMount{

diff --git a/pkg/novaconductor/deployment.go b/pkg/novaconductor/deployment.go
@@ -26,6 +26,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 // StatefulSet - returns the StatefulSet definition for the nova-api service
@@ -35,8 +36,6 @@ func StatefulSet(
 	labels map[string]string,
 	annotations map[string]string,
 ) *appsv1.StatefulSet {
-	runAsUser := int64(0)
-
 	livenessProbe := &corev1.Probe{
 		// TODO might need tuning
 		TimeoutSeconds:      5,
@@ -128,7 +127,7 @@ func StatefulSet(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser: ptr.To(nova.NovaUserID),
 							},
 							Env: env,
 							VolumeMounts: []corev1.VolumeMount{

diff --git a/pkg/novametadata/deployment.go b/pkg/novametadata/deployment.go
@@ -27,6 +27,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
 )
 
 // StatefulSet - returns the StatefulSet definition for the nova-metadata service
@@ -36,8 +37,6 @@ func StatefulSet(
 	labels map[string]string,
 	annotations map[string]string,
 ) *appsv1.StatefulSet {
-	runAsUser := int64(0)
-
 	// This allows the pod to start up slowly. The pod will only be killed
 	// if it does not succeed a probe in 60 seconds.
 	startupProbe := &corev1.Probe{
@@ -135,7 +134,7 @@ func StatefulSet(
 							Args:  []string{"-c", "tail -n+1 -F /var/log/nova/nova-metadata.log"},
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser: ptr.To(nova.NovaUserID),
 							},
 							Env: env,
 							VolumeMounts: []corev1.VolumeMount{
@@ -154,7 +153,7 @@ func StatefulSet(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser: ptr.To(nova.NovaUserID),
 							},
 							Env: env,
 							VolumeMounts: []corev1.VolumeMount{

diff --git a/pkg/novascheduler/deployment.go b/pkg/novascheduler/deployment.go
@@ -26,6 +26,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 // StatefulSet - returns the StatefulSet definition for the nova-scheduler service
@@ -35,8 +36,6 @@ func StatefulSet(
 	labels map[string]string,
 	annotations map[string]string,
 ) *appsv1.StatefulSet {
-	runAsUser := int64(0)
-
 	// This allows the pod to start up slowly. The pod will only be killed
 	// if it does not succeed a probe in 60 seconds.
 	startupProbe := &corev1.Probe{
@@ -137,7 +136,7 @@ func StatefulSet(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser: ptr.To(nova.NovaUserID),
 							},
 							Env: env,
 							VolumeMounts: []corev1.VolumeMount{

diff --git a/pkg/novncproxy/deployment.go b/pkg/novncproxy/deployment.go
@@ -27,6 +27,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
 )
 
 // StatefulSet - returns the StatefulSet definition for the nova-novanovncproxy service
@@ -36,8 +37,6 @@ func StatefulSet(
 	labels map[string]string,
 	annotations map[string]string,
 ) *appsv1.StatefulSet {
-	runAsUser := int64(0)
-
 	// This allows the pod to start up slowly. The pod will only be killed
 	// if it does not succeed a probe in 60 seconds.
 	startupProbe := &corev1.Probe{
@@ -135,7 +134,7 @@ func StatefulSet(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser: ptr.To(nova.NovaUserID),
 							},
 							Env: env,
 							VolumeMounts: []corev1.VolumeMount{