Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSSQL Container Conflict with PSS Enforcement on RedHat OpenShift #918

Open
RufusJWB opened this issue Jan 27, 2025 · 0 comments
Open

MSSQL Container Conflict with PSS Enforcement on RedHat OpenShift #918

RufusJWB opened this issue Jan 27, 2025 · 0 comments

Comments

@RufusJWB
Copy link

Our penetration test team has requested that we enforce the “Restricted” PSS policy by adding the following labels to the namespace:

pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: 1.24

One requirement of the “Restricted” policy is setting allowPrivilegeEscalation to false. However, our MSSQL container image fails to run under this configuration and raises the following error:

SQL Server 2022 will run as non-root by default.
This container is running as user 1003350000.
Your master database file is owned by 1003350000.
To learn more visit https://go.microsoft.com/fwlink/?linkid=2099216.
/opt/mssql/bin/permissions_check.sh: line 60: /opt/mssql/bin/sqlservr: Operation not permitted
/opt/mssql/bin/permissions_check.sh: line 60: /opt/mssql/bin/sqlservr: Success

Below is the relevant patch we applied to our StatefulSet:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: mssql
spec:
  template:
    spec:
      serviceAccountName: mssql-ref
      securityContext:
        runAsUser: 1003350000
        fsGroup: 1003350000
      containers:
        - name: sql-exporter
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
            seccompProfile:
              type: RuntimeDefault
        - name: mssql
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
            seccompProfile:
              type: RuntimeDefault

We also assigned the microsoft-sql-server SCC to the mssql-ref service account, but this did not resolve the issue. According to Microsoft’s documentation (bdc-scc.yaml example) MSSQL requires allowPrivilegeEscalation to be set to true, and overriding these settings would break core functionality.

Is there any way to enforce the “Restricted” PSS policy?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@RufusJWB