Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

non-root user enabled images and k8s securityContext additions #671

Open
QynKpGJdh opened this issue Feb 2, 2023 · 0 comments
Open

non-root user enabled images and k8s securityContext additions #671

QynKpGJdh opened this issue Feb 2, 2023 · 0 comments

Comments

@QynKpGJdh
Copy link

QynKpGJdh commented Feb 2, 2023
edited
Loading

Is your feature request related to a problem? Please describe.
The default artemis helm-chart is not deployable on a k8s cluster with securityContext and non-root users requirements.

Describe the solution you'd like

  1. Images should be built to run as a non-root user.
...
RUN addgroup -g 15221 appuser
RUN adduser -S -u 15221 -G appuser appuser
RUN chown -R 15221:15221 /needed/path/for/proc
...
USER appuser:appuser
...
  1. helm-chart templates should include securityContext settings
...
spec:
  template:
    spec:
      securityContext:
        runAsUser: 15221
        runAsGroup: 15221
        fsGroup: 15221 
      containers:
      ...
        securityContext:  
          allowPrivilegeEscalation: false
          capabilities:
            drop: 
              - ALL
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault
...

Describe alternatives you've considered
I have modified the helm-chart templates and the Dockerfiles to fulfill this requirement. However, once Artemis releases a new update and we would like to upgrade the deployment, we would then have to again modify each Dockerfile to ensure compatibility with the cluster requirements.

The only container that needed heavier modification was the postgres-deployment.yaml and its Dockerfile.

Dockerfile

FROM timescale/timescaledb:2.8.1-pg14

RUN mkdir /postgres
WORKDIR /postgres
COPY postgres-entrypoint.sh .

RUN addgroup -g 15221 appuser
RUN adduser -S -u 15221 -G appuser appuser
RUN chown 15221:15221 /var/run/postgresql
RUN chown 15221:15221 postgres-entrypoint.sh
RUN chown -R 15221:15221 /var/lib/postgresql/data/pgdata

USER appuser
CMD postgres-entrypoint.sh

postgres-entrypoint.sh

#!/bin/bash

if [[ "${DB_BACKUP}" == "true" ]]; then
    cat > /etc/periodic/daily/backup <<EOF
#!/bin/sh
pg_dump -d $POSTGRES_DB -U $POSTGRES_USER -F t -f /tmp/db.tar > /tmp/db.log 2>&1
EOF
    chmod +x /etc/periodic/daily/backup
else
    [ -e /etc/periodic/daily/backup ] && rm /etc/periodic/daily/backup
fi

re='^[0-9]+$'
if [[ $DB_AUTOCLEAN =~ $re ]]; then
    cat > /etc/periodic/hourly/cleanup <<EOF
#!/bin/sh
psql -d $POSTGRES_DB -U $POSTGRES_USER -c "DELETE FROM bgp_updates WHERE timestamp < NOW() - interval '${DB_AUTOCLEAN} hours' AND hijack_key=ARRAY[]::text[];"
EOF
    chmod +x /etc/periodic/hourly/cleanup
else
    [ -e /etc/periodic/hourly/cleanup ] && rm /etc/periodic/hourly/cleanup
fi

re='^[0-9]+$'
if [[ $DB_HIJACK_DORMANT =~ $re ]]; then
    cat > /etc/periodic/hourly/dormant <<EOF
#!/bin/sh
psql -d $POSTGRES_DB -U $POSTGRES_USER -c "UPDATE hijacks SET dormant=true WHERE time_last < NOW() - interval '${DB_HIJACK_DORMANT} hours' AND active=true AND dormant=false;"
EOF
    chmod +x /etc/periodic/hourly/dormant
else
    [ -e /etc/periodic/hourly/dormant ] && rm /etc/periodic/hourly/dormant
fi

#crond && docker-entrypoint.sh postgres

postgres-deployment.yaml

...
        command: ['/bin/sh', '-c'] # Moved the script content to be run inside Dockerfile before switching to user appusers. This allows for setting up the cron jobs. The app is then started as the non-root user. Had to also provide ```-c max_connections=50``` as well, since the default 25 in our deployment was not enough.
        args: ['crond && docker-entrypoint.sh postgres -c max_connections=50']
        #- ./postgres-entrypoint.sh
        volumeMounts:
#        - mountPath: /postgres-entrypoint.sh
#          name: postgres-configmap0
#          subPath: postgres-entrypoint.sh
        - mountPath: /docker-entrypoint-initdb.d/zinit.sql
          name: postgres-configmap1
          subPath: init.sql      
        - mountPath: /docker-entrypoint-initdb.d/data/
          name: postgres-configmap2
        - mountPath: /docker-entrypoint-initdb.d/libs/rabbitmq/
          name: postgres-configmap3            
        - mountPath: /var/lib/postgresql/data/
          name: postgres-pvc
          readOnly: false
          subPath: postgres-data
        - mountPath: /var/lib/postgresql/data/pgdata/postgresql.conf
          name: postgres-configmap0
          subPath: postgresql.conf           
        - mountPath: /tmp/
          name: postgres-pvc
          subPath: postgres-backup
...

Additional thoughts
I think that the templates could conditionally include the securityContext specifications if incompatibilities with older k8s versions are expected?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@QynKpGJdh