From 45222e0eaf530540b350eeda70655094890da53d Mon Sep 17 00:00:00 2001 From: wojtekzyla <108660584+wojtekzyla@users.noreply.github.com> Date: Wed, 8 Mar 2023 02:09:18 +0100 Subject: [PATCH] Fix acl permissions (#687) - while creating ACLs in the initContainer in the daemonset, change the default user and group of the otel image to 999 (this is because splunk-otel-collector has uid of 999) - add post delete hook which deletes ACLs set for directories used by agent, gateway and clusterReceiver while those pods run as non-root users --------- Co-authored-by: omrozowicz-splunk --- .../templates/daemonset.yaml | 18 ++-- .../templates/revert-patch-log-dirs-hook.yaml | 82 +++++++++++++++++++ 2 files changed, 93 insertions(+), 7 deletions(-) create mode 100644 helm-charts/splunk-otel-collector/templates/revert-patch-log-dirs-hook.yaml diff --git a/helm-charts/splunk-otel-collector/templates/daemonset.yaml b/helm-charts/splunk-otel-collector/templates/daemonset.yaml index 2b32660993..c79f130e8c 100644 --- a/helm-charts/splunk-otel-collector/templates/daemonset.yaml +++ b/helm-charts/splunk-otel-collector/templates/daemonset.yaml @@ -135,26 +135,26 @@ spec: imagePullPolicy: {{ .Values.image.initPatchLogDirs.pullPolicy }} command: ['sh', '-c', ' mkdir -p {{ .Values.logsCollection.checkpointPath }}; - chown -Rv {{ $agent.securityContext.runAsUser | default 20000 }}:{{ $agent.securityContext.runAsGroup | default 20000 }} {{ .Values.logsCollection.checkpointPath }}; + chown -Rv {{ $agent.securityContext.runAsUser | default 999 }}:{{ $agent.securityContext.runAsGroup | default 999 }} {{ .Values.logsCollection.checkpointPath }}; chmod -v g+rwxs {{ .Values.logsCollection.checkpointPath }}; {{ if .Values.logsCollection.containers.enabled -}} if [ -d "/var/lib/docker/containers" ]; then - setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx /var/lib/docker/containers; + setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx /var/lib/docker/containers; fi; if [ -d "/var/log/crio/pods" ]; then - setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx /var/log/crio/pods; + setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx /var/log/crio/pods; fi; if [ -d "/var/log/pods" ]; then - setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx /var/log/pods; + setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx /var/log/pods; fi; {{- end }} {{- if .Values.logsCollection.journald.enabled }} if [ -d "{{ .Values.logsCollection.journald.directory }}" ]; then - setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx {{ .Values.logsCollection.journald.directory }}; + setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx {{ .Values.logsCollection.journald.directory }}; fi; {{- end }}'] securityContext: @@ -168,6 +168,10 @@ spec: - name: varlibdockercontainers mountPath: /var/lib/docker/containers {{- end }} + {{- if .Values.logsCollection.journald.enabled }} + - name: journaldlogs + mountPath: {{ .Values.logsCollection.journald.directory }} + {{- end }} {{- end }} {{- end }} {{- end }} @@ -390,7 +394,7 @@ spec: {{- end }} - name: checkpoint mountPath: {{ .Values.logsCollection.checkpointPath }} - {{- if .Values.logsCollection.journald.enabled}} + {{- if .Values.logsCollection.journald.enabled }} - mountPath: {{.Values.logsCollection.journald.directory}} name: journaldlogs readOnly: true @@ -448,7 +452,7 @@ spec: hostPath: path: {{ .Values.logsCollection.checkpointPath }} type: DirectoryOrCreate - {{- if .Values.logsCollection.journald.enabled}} + {{- if .Values.logsCollection.journald.enabled }} - name: journaldlogs hostPath: path: {{.Values.logsCollection.journald.directory}} diff --git a/helm-charts/splunk-otel-collector/templates/revert-patch-log-dirs-hook.yaml b/helm-charts/splunk-otel-collector/templates/revert-patch-log-dirs-hook.yaml new file mode 100644 index 0000000000..7ac37d50f3 --- /dev/null +++ b/helm-charts/splunk-otel-collector/templates/revert-patch-log-dirs-hook.yaml @@ -0,0 +1,82 @@ +{{- if or (and (.Values.fluentd.securityContext.runAsUser) (.Values.fluentd.securityContext.runAsGroup)) (and (.Values.agent.securityContext.runAsUser) (.Values.agent.securityContext.runAsGroup)) }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "splunk-otel-collector.fullname" . }}-revert-patch-log-dir + labels: + {{- include "splunk-otel-collector.commonLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + restartPolicy: Never + containers: + - name: revert-patch-log-dirs + image: {{ template "splunk-otel-collector.image.initPatchLogDirs" . }} + imagePullPolicy: {{ .Values.image.initPatchLogDirs.pullPolicy }} + securityContext: + runAsUser: 0 + command: ['sh', '-c', ' + setfacl --recursive --remove-all {{ .Values.logsCollection.checkpointPath }}; + {{- if ne .Values.fluentd.config.posFilePrefix "/var/log/splunk-fluentd" }} + setfacl --recursive --remove-all {{ dir .Values.fluentd.config.posFilePrefix }}; + {{- end }} + {{ if .Values.logsCollection.containers.enabled -}} + if [ -d "/var/lib/docker/containers" ]; + then + setfacl --recursive --remove-all /var/lib/docker/containers; + fi; + if [ -d "/var/log/crio/pods" ]; + then + setfacl --recursive --remove-all /var/log/crio/pods; + fi; + if [ -d "/var/log/pods" ]; + then + setfacl --recursive --remove-all /var/log/pods; + fi; + {{- end }} + {{- if .Values.logsCollection.journald.enabled }} + if [ -d "{{ .Values.logsCollection.journald.directory }}" ]; + then + setfacl --recursive --remove-all {{ .Values.logsCollection.journald.directory }}; + fi; + {{- end }}'] + volumeMounts: + - name: checkpoint + mountPath: {{ .Values.logsCollection.checkpointPath }} + {{- if ne .Values.fluentd.config.posFilePrefix "/var/log/splunk-fluentd" }} + - name: fluentd-checkpoint-dir + mountPath: {{ dir .Values.fluentd.config.posFilePrefix }} + {{- end }} + {{- if .Values.logsCollection.containers.enabled }} + - name: varlog + mountPath: /var/log + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + {{- end }} + {{- if .Values.logsCollection.journald.enabled }} + - name: journaldlogs + mountPath: {{.Values.logsCollection.journald.directory}} + {{- end }} + volumes: + - name: checkpoint + hostPath: + path: {{ .Values.logsCollection.checkpointPath }} + - name: varlog + hostPath: + path: /var/log + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers + {{- if ne .Values.fluentd.config.posFilePrefix "/var/log/splunk-fluentd" }} + - name: fluentd-checkpoint-dir + hostPath: + path: {{ dir .Values.fluentd.config.posFilePrefix }} + type: DirectoryOrCreate + {{- end }} + {{- if .Values.logsCollection.journald.enabled }} + - name: journaldlogs + hostPath: + path: {{.Values.logsCollection.journald.directory}} + {{- end}} +{{- end }}