Fix acl permissions (#687)

- while creating ACLs in the initContainer in the daemonset, change the default user and group of the otel image to 999 (this is because splunk-otel-collector has uid of 999) - add post delete hook which deletes ACLs set for directories used by agent, gateway and clusterReceiver while those pods run as non-root users --------- Co-authored-by: omrozowicz-splunk <[email protected]>
signalfx · Mar 8, 2023 · 45222e0 · 45222e0
1 parent d1d49e6
commit 45222e0
Show file tree

Hide file tree

Showing 2 changed files with 93 additions and 7 deletions.
diff --git a/helm-charts/splunk-otel-collector/templates/daemonset.yaml b/helm-charts/splunk-otel-collector/templates/daemonset.yaml
@@ -135,26 +135,26 @@ spec:
           imagePullPolicy: {{ .Values.image.initPatchLogDirs.pullPolicy }}
           command: ['sh', '-c', '
           mkdir -p {{ .Values.logsCollection.checkpointPath }};
-          chown -Rv {{ $agent.securityContext.runAsUser | default 20000 }}:{{ $agent.securityContext.runAsGroup | default 20000 }} {{ .Values.logsCollection.checkpointPath }};
+          chown -Rv {{ $agent.securityContext.runAsUser | default 999 }}:{{ $agent.securityContext.runAsGroup | default 999 }} {{ .Values.logsCollection.checkpointPath }};
           chmod -v g+rwxs {{ .Values.logsCollection.checkpointPath }};
           {{ if .Values.logsCollection.containers.enabled -}}
           if [ -d "/var/lib/docker/containers" ];
           then
-              setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx /var/lib/docker/containers;
+              setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx /var/lib/docker/containers;
           fi;
           if [ -d "/var/log/crio/pods" ];
           then
-              setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx /var/log/crio/pods;
+              setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx /var/log/crio/pods;
           fi;
           if [ -d "/var/log/pods" ];
           then
-              setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx /var/log/pods;
+              setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx /var/log/pods;
           fi;
           {{- end }}
           {{- if .Values.logsCollection.journald.enabled }}
           if [ -d "{{ .Values.logsCollection.journald.directory }}" ];
           then
-              setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx {{ .Values.logsCollection.journald.directory }};
+              setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx {{ .Values.logsCollection.journald.directory }};
           fi;
           {{- end }}']
           securityContext:
@@ -168,6 +168,10 @@ spec:
             - name: varlibdockercontainers
               mountPath: /var/lib/docker/containers
             {{- end }}
+            {{- if .Values.logsCollection.journald.enabled }}
+            - name: journaldlogs
+              mountPath: {{ .Values.logsCollection.journald.directory }}
+            {{- end }}
         {{- end }}
         {{- end }}
       {{- end }}
@@ -390,7 +394,7 @@ spec:
         {{- end }}
         - name: checkpoint
           mountPath: {{ .Values.logsCollection.checkpointPath }}
-        {{- if .Values.logsCollection.journald.enabled}}
+        {{- if .Values.logsCollection.journald.enabled }}
         - mountPath: {{.Values.logsCollection.journald.directory}}
           name: journaldlogs
           readOnly: true
@@ -448,7 +452,7 @@ spec:
         hostPath:
           path: {{ .Values.logsCollection.checkpointPath }}
           type: DirectoryOrCreate
-      {{- if .Values.logsCollection.journald.enabled}}
+      {{- if .Values.logsCollection.journald.enabled }}
       - name: journaldlogs
         hostPath:
           path: {{.Values.logsCollection.journald.directory}}

diff --git a/helm-charts/splunk-otel-collector/templates/revert-patch-log-dirs-hook.yaml b/helm-charts/splunk-otel-collector/templates/revert-patch-log-dirs-hook.yaml
@@ -0,0 +1,82 @@
+{{- if or (and (.Values.fluentd.securityContext.runAsUser) (.Values.fluentd.securityContext.runAsGroup)) (and (.Values.agent.securityContext.runAsUser) (.Values.agent.securityContext.runAsGroup)) }}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "splunk-otel-collector.fullname" . }}-revert-patch-log-dir
+  labels:
+    {{- include "splunk-otel-collector.commonLabels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  restartPolicy: Never
+  containers:
+  - name: revert-patch-log-dirs
+    image: {{ template "splunk-otel-collector.image.initPatchLogDirs" . }}
+    imagePullPolicy: {{ .Values.image.initPatchLogDirs.pullPolicy }}
+    securityContext:
+      runAsUser: 0
+    command: ['sh', '-c', '
+    setfacl --recursive --remove-all  {{ .Values.logsCollection.checkpointPath }};
+    {{- if ne .Values.fluentd.config.posFilePrefix "/var/log/splunk-fluentd" }}
+    setfacl --recursive --remove-all  {{ dir .Values.fluentd.config.posFilePrefix }};
+    {{- end }}
+    {{ if .Values.logsCollection.containers.enabled -}}
+    if [ -d "/var/lib/docker/containers" ];
+    then
+        setfacl --recursive --remove-all  /var/lib/docker/containers;
+    fi;
+    if [ -d "/var/log/crio/pods" ];
+    then
+        setfacl --recursive --remove-all  /var/log/crio/pods;
+    fi;
+    if [ -d "/var/log/pods" ];
+    then
+        setfacl --recursive --remove-all  /var/log/pods;
+    fi;
+    {{- end }}
+    {{- if .Values.logsCollection.journald.enabled }}
+    if [ -d "{{ .Values.logsCollection.journald.directory }}" ];
+    then
+        setfacl --recursive --remove-all {{ .Values.logsCollection.journald.directory }};
+    fi;
+    {{- end }}']
+    volumeMounts:
+      - name: checkpoint
+        mountPath: {{ .Values.logsCollection.checkpointPath }}
+      {{- if ne .Values.fluentd.config.posFilePrefix "/var/log/splunk-fluentd" }}
+      - name: fluentd-checkpoint-dir
+        mountPath: {{ dir .Values.fluentd.config.posFilePrefix }}
+      {{- end }}
+      {{- if .Values.logsCollection.containers.enabled }}
+      - name: varlog
+        mountPath: /var/log
+      - name: varlibdockercontainers
+        mountPath: /var/lib/docker/containers
+      {{- end }}
+      {{- if .Values.logsCollection.journald.enabled }}
+      - name: journaldlogs
+        mountPath: {{.Values.logsCollection.journald.directory}}
+      {{- end }}
+  volumes:
+    - name: checkpoint
+      hostPath:
+        path: {{ .Values.logsCollection.checkpointPath }}
+    - name: varlog
+      hostPath:
+        path: /var/log
+    - name: varlibdockercontainers
+      hostPath:
+        path: /var/lib/docker/containers
+    {{- if ne .Values.fluentd.config.posFilePrefix "/var/log/splunk-fluentd" }}
+    - name: fluentd-checkpoint-dir
+      hostPath:
+        path: {{ dir .Values.fluentd.config.posFilePrefix }}
+        type: DirectoryOrCreate
+    {{- end }}
+    {{- if .Values.logsCollection.journald.enabled }}
+    - name: journaldlogs
+      hostPath:
+        path: {{.Values.logsCollection.journald.directory}}
+    {{- end}}
+{{- end }}