From c54dbdb47d4ad8bf3fabed953ef41061e64dd0eb Mon Sep 17 00:00:00 2001 From: jk464 Date: Mon, 5 Feb 2024 11:21:58 +0000 Subject: [PATCH] Run containers as non-root w/o escalation privs Co-authored-by: Jacob Floyd --- CHANGELOG.md | 1 + templates/_helpers.tpl | 18 ++++++++++++++++++ templates/deployments.yaml | 14 ++++++++++---- templates/jobs.yaml | 18 +++++++++--------- templates/services.yaml | 4 +++- tests/unit/ingress_test.yaml | 4 ++-- values.yaml | 36 ++++++++++++++++++++++++++++++++---- 7 files changed, 75 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 919af036..5309bb43 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # Changelog ## Development +* Enable running all pods/containers as non-root without any escalation privileges (#400) (by @jk464 @Stealthii) ## v1.1.0 * Fix syntax with ensure-packs-volumes-are-writable job (#403, #411) (by @skiedude) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 9cadeeab..97d1851e 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -422,3 +422,21 @@ Create the custom env list for each deployment value: {{ $value | quote }} {{- end }} {{- end -}} + +{{/* +Define st2web ports +*/}} +{{- define "stackstorm-ha.st2web.http_port" -}} +{{- if ne (default 0 ((($.Values.st2web.securityContext).runAsUser) | int)) 0 -}} +8080 +{{- else -}} +80 +{{- end -}} +{{- end -}} +{{- define "stackstorm-ha.st2web.https_port" -}} +{{- if ne (default 0 ((($.Values.st2web.securityContext).runAsUser) | int)) 0 -}} +8443 +{{- else -}} +443 +{{- end -}} +{{- end -}} diff --git a/templates/deployments.yaml b/templates/deployments.yaml index 7cbceded..fa4e23c1 100644 --- a/templates/deployments.yaml +++ b/templates/deployments.yaml @@ -439,13 +439,15 @@ spec: securityContext: {{- toYaml . | nindent 10 }} {{- end }} ports: - - containerPort: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }} + {{- $https_port := include "stackstorm-ha.st2web.https_port" . }} + {{- $http_port := include "stackstorm-ha.st2web.http_port" . }} + - containerPort: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary $https_port $http_port }} # Probe to check if app is running. Failure will lead to a pod restart. livenessProbe: httpGet: scheme: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary "HTTPS" "HTTP" }} path: / - port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }} + port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary $https_port $http_port }} initialDelaySeconds: 1 # Probe to check if app is ready to serve traffic. Failure will lead to temp stop serving traffic. # TODO: Failing to add readinessProbe, since st2 requires authorization (401) and we don't have `/healthz` endpoints yet (https://github.com/StackStorm/st2/issues/4020) @@ -1644,13 +1646,17 @@ spec: {{- end }} volumeMounts: - name: st2client-config-vol + {{- if eq .Values.st2.system_user.user "root" }} mountPath: /root/.st2/ + {{- else }} + mountPath: /home/{{ .Values.st2.system_user.user }}/.st2/ + {{- end }} # `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338 command: - 'sh' - '-ec' - | - cat < /root/.st2/config + cat < /home/stanley/.st2/config {{- tpl .Values.st2client.st2clientConfig . | nindent 12 }} EOT containers: @@ -1683,7 +1689,7 @@ spec: {{- end }} {{- include "stackstorm-ha.overrides-config-mounts" . | nindent 8 }} - name: st2client-config-vol - mountPath: /root/.st2/ + mountPath: /home/stanley/.st2/ - name: st2-ssh-key-vol mountPath: {{ tpl .Values.st2.system_user.ssh_key_file . | dir | dir }}/.ssh-key-vol/ {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }} diff --git a/templates/jobs.yaml b/templates/jobs.yaml index 592936fb..1a937656 100644 --- a/templates/jobs.yaml +++ b/templates/jobs.yaml @@ -164,13 +164,13 @@ spec: {{- end }} volumeMounts: - name: st2client-config-vol - mountPath: /root/.st2/ + mountPath: /home/stanley/.st2/ # `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338 command: - 'sh' - '-ec' - | - cat < /root/.st2/config + cat < /home/stanley/.st2/config {{- tpl .Values.jobs.st2clientConfig . | nindent 12 }} EOT containers: @@ -197,7 +197,7 @@ spec: {{- end }} volumeMounts: - name: st2client-config-vol - mountPath: /root/.st2/ + mountPath: /home/stanley/.st2/ - name: st2-apikeys-vol mountPath: /etc/st2/apikeys.yaml subPath: apikeys.yaml @@ -290,13 +290,13 @@ spec: {{- end }} volumeMounts: - name: st2client-config-vol - mountPath: /root/.st2/ + mountPath: /home/stanley/.st2/ # `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338 command: - 'sh' - '-ec' - | - cat < /root/.st2/config + cat < /home/stanley/.st2/config {{- tpl .Values.jobs.st2clientConfig . | nindent 12 }} EOT containers: @@ -325,7 +325,7 @@ spec: volumeMounts: {{- include "stackstorm-ha.st2-config-volume-mounts" . | nindent 8 }} - name: st2client-config-vol - mountPath: /root/.st2/ + mountPath: /home/stanley/.st2/ - name: st2-kv-vol mountPath: /etc/st2/st2kv.yaml subPath: st2kv.yaml @@ -660,13 +660,13 @@ spec: {{- end }} volumeMounts: - name: st2client-config-vol - mountPath: /root/.st2/ + mountPath: /home/stanley/.st2/ # `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338 command: - 'sh' - '-ec' - | - cat < /root/.st2/config + cat < /home/stanley/.st2/config {{- tpl $.Values.jobs.st2clientConfig $ | nindent 12 }} EOT containers: @@ -692,7 +692,7 @@ spec: {{- end }} volumeMounts: - name: st2client-config-vol - mountPath: /root/.st2/ + mountPath: /home/stanley/.st2/ {{- include "stackstorm-ha.overrides-config-mounts" $ | nindent 8 }} {{- include "stackstorm-ha.st2-config-volume-mounts" $ | nindent 8 }} {{- include "stackstorm-ha.packs-volume-mounts-for-register-job" $ | nindent 8 }} diff --git a/templates/services.yaml b/templates/services.yaml index 6b0e385d..21aacd5e 100644 --- a/templates/services.yaml +++ b/templates/services.yaml @@ -99,8 +99,10 @@ spec: {{- end }} {{- end }} ports: + {{- $https_port := include "stackstorm-ha.st2web.https_port" . }} + {{- $http_port := include "stackstorm-ha.st2web.http_port" . }} - protocol: TCP - port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }} + port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary $https_port $http_port }} {{ if .Values.st2chatops.enabled -}} --- diff --git a/tests/unit/ingress_test.yaml b/tests/unit/ingress_test.yaml index b9b35deb..2b454ff0 100644 --- a/tests/unit/ingress_test.yaml +++ b/tests/unit/ingress_test.yaml @@ -64,7 +64,7 @@ tests: servicePort: 80 - path: /fancy-sensor serviceName: fancy-sensor - servicePort: 8080 + servicePort: {{ template ".stackstorm-ha.st2web.http_port" . }} tls: [] st2web: service: @@ -105,4 +105,4 @@ tests: service: name: fancy-sensor port: - number: 8080 + number: {{ template ".stackstorm-ha.st2web.http_port" . }} diff --git a/values.yaml b/values.yaml index 8f4d90fc..154067da 100644 --- a/values.yaml +++ b/values.yaml @@ -300,8 +300,11 @@ st2: ## Default SecurityContext for pods and containers. ## Overrides available for st2web, st2actionrunner, st2sensorcontainer, st2client pods, and custom packs images. ## -podSecurityContext: {} -securityContext: {} +podSecurityContext: + runAsNonRoot: true +securityContext: + runAsUser: 1000 + allowPrivilegeEscalation: false ## ## StackStorm HA Ingress @@ -377,7 +380,10 @@ st2web: attach: false # override the default .podSecurityContext or .securityContext here podSecurityContext: {} - securityContext: {} # NB: nginx requires some capabilities, drop ALL will cause issues. + securityContext: # NB: nginx requires some capabilities, drop ALL will cause issues. + runAsUser: 999 # run as nginx user + runAsGroup: 999 # run as nginx group + allowPrivilegeEscalation: false # mount extra volumes on the st2web pod(s) (primarily useful for k8s-provisioned secrets) ## Note that Helm templating is supported in 'mount' and 'volume' extra_volumes: [] @@ -1050,6 +1056,15 @@ mongodb: arbiter: enabled: false resources: {} + podSecurityContext: + enabled: true + fsGroup: 1001 + sysctls: [] + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + allowPrivilegeEscalation: false ## ## RabbitMQ configuration (3rd party chart dependency) @@ -1097,7 +1112,12 @@ rabbitmq: # As RabbitMQ enabled prometheus operator monitoring by default, disable it for non-prometheus users metrics: enabled: false - + podSecurityContext: + fsGroup: 1001 + runAsUser: 1001 + runAsNonRoot: true + containerSecurityContext: + allowPrivilegeEscalation: false ## ## Redis HA configuration (3rd party chart dependency) ## @@ -1133,6 +1153,14 @@ redis: usePassword: false metrics: enabled: false + securityContext: + enabled: true + fsGroup: 1001 + runAsNonRoot: true + containerSecurityContext: + enabled: true + runAsUser: 1001 + allowPrivilegeEscalation: false ## ## Settings to be applied to all stackstorm-ha pods