Run Containers as Non-Root, and without Privilege Escalation by default. #400
Conversation
pull-request-size
bot
added
the
size/M
| /bin/cp -dR /opt/stackstorm/packs/. /opt/stackstorm/packs-shared && | ||
| /bin/cp -dR /opt/stackstorm/virtualenvs/. /opt/stackstorm/virtualenvs-shared |
There was a problem hiding this comment.
-d only preserves symlinks as-is. -a also copied the mode, including execute bits.
We need to make sure to preserve the execute bit on files. Would we have to add --preserve=mode to copy that?
Also, how will this interact with #245 (Switch from cp to rsync with fallback to cp)?
There was a problem hiding this comment.
Would you please check out #415? I'd like to come up with the minimal set of flags for cp and rsync.
There was a problem hiding this comment.
@Stealthii made these changes (which remains me I should credit him as an author in the commits..), I believe this was to fix issues with running as a non-privileged user. @Stealthii can you comment here / have a look at the above PRs :D
There was a problem hiding this comment.
@cognifloyd I've commented on #415 with a proposed change that should preserve all relevant attributes besides ownership. #415 (comment)
Once verified and if it becomes part of that PR, we can drop the change here and have this PR focus solely on the enablement of non-root runtimes.
templates/services.yaml
Outdated
| @@ -100,7 +100,7 @@ spec: | |||
| {{- end }} | |||
| ports: | |||
| - protocol: TCP | |||
| port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }} | |||
| port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 8443 8080 }} | |||
There was a problem hiding this comment.
We might need this to be in values to support older docker images.
There was a problem hiding this comment.
Annoyingly in #401 I also make changes here:
@@ -99,8 +107,10 @@ spec:
{{- end }}
{{- end }}
ports:
- - protocol: TCP
- port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }}
+ - name: st2web
+ protocol: TCP
+ port: {{ if and .Values.st2.tls.enabled .Values.st2web.tls.enabled -}}8443{{- else -}}8080{{- end }}
+ targetPort: {{ if and .Values.st2.tls.enabled .Values.st2web.tls.enabled -}}8443{{- else -}}8080{{- end }}
{{ if .Values.st2chatops.enabled -}}
---It would probably be easier in that PR to make changes to ensure backwards compatability
There was a problem hiding this comment.
Ok I've updated this in both PR to check to see if ((($.Values.st2web.securityContext).runAsUser) is defined and set to a non 0 value (i.e. running as non-root) and if so return the non-privileged ports, otherwise it returns the old privileged ports
| podSecurityContext: | ||
| runAsNonRoot: true | ||
| securityContext: | ||
| runAsUser: 1000 | ||
| allowPrivilegeEscalation: false |
There was a problem hiding this comment.
In my cluster, I use drop capabilities, re-adding them only for the deployments that need it. So I have:
#podSecurityContext:
securityContext:
capabilities:
drop: ["ALL"]
st2actionrunner:
#podSecurityContext:
securityContext:
capabilities:
drop: ["ALL"]
add:
- chown
- fowner # chmod
- fsetid
- setfcap
- setgid
- setuid
- dac_override # allows root to bypass "discretionary access control" (file rwx permission checks)
- kill
- net_raw # ping
- audit_write # sudo
- setpcap
st2web:
#podSecurityContext:
securityContext:
capabilities:
drop: ["ALL"]
add:
- chown
- setgid
- setuid
- dac_override # allows root to bypass "discretionary access control" (file rwx permission checks)
- net_bind_service # bind privileged ports 80 or 443So, that's a slightly different approach than just running as a non-root user. In particular, if st2web is not running as root, and is using unprivileged ports, then the config could be somewhat simpler.
There was a problem hiding this comment.
I think for st2web, the fact I don't bind privileged ports, and also I ensured any required files are chown by nginx in the Docker image removes any need for this capabilities?
For st2actionrunner do we have any documentation that points towards what st2actionrunner needs each of those capabilities for? I'm wondering if we can remove any of them by making changes elsewhere, w/o breaking compatibility ofc.
jk464
force-pushed
the
feature/non-root
branch
2 times, most recently
from
f7ba491
to
73ed0a2
Compare
pull-request-size
bot
added
size/L
Co-authored-by: Jacob Floyd <cognifloyd@gmail.com>
Allows copying of files in non-root containers
In attempt to harden the security of running StackStorm within k8s, this PR makes it such that by default all containers run as a non-root user, generally
1000:1000(thestanleyuser) - or forst2webit runs as100:100(which is thenginxuser).It also disables the ability of the container to escalate privileges.
Generally in my testing, this all "just" works - Aside from requiring a change to the
st2webcontainer to allownginxto run as thenginxuser. (Changes to support that are here StackStorm/st2-dockerfiles#66).NOTE: This PR depends on StackStorm/st2-dockerfiles#66 to work.