Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow running as non-root to improve out-of-the-box experience for openshift users #300

Open
gberche-orange opened this issue Dec 22, 2022 · 0 comments
Open

Allow running as non-root to improve out-of-the-box experience for openshift users #300

gberche-orange opened this issue Dec 22, 2022 · 0 comments

Comments

@gberche-orange
Copy link

gberche-orange commented Dec 22, 2022
edited

By default K8S openshift restricts containers to run with userids below 1000, see

https://docs.openshift.com/container-platform/4.10/cicd/pipelines/using-pods-in-a-privileged-security-context.html

The default configuration of OpenShift [Pipelines 1.3.x and later versions] does not allow you to run pods with privileged security context
https://docs.openshift.com/container-platform/4.10/operators/operator_sdk/helm/osdk-helm-tutorial.html
The Nginx service account requires privileged access to run in OpenShift Container Platform. Add the following security context constraint (SCC)
oc adm policy add-scc-to-user anyuid system:serviceaccount:nginx-operator-system:nginx-sample

Without this additional permissions, the cloudsql image (such as image: gcr.io/google.com/cloudsdktool/google-cloud-cli:412.0.0) would fail with the following trace

$ gcloud auth activate-service-account --key-file=/secret/key.json

WARNING: Could not setup log file in /.config/gcloud/logs, (Error: Could not create directory [/.config/gcloud/logs/2022.12.22]: Permission denied.

Please verify that you have permissions to write to the parent directory..
The configuration directory may not be writable. To learn more, see https://cloud.google.com/sdk/docs/configurations#creating_a_configuration
ERROR: (gcloud.auth.activate-service-account) Could not create directory [/.config/gcloud]: Permission denied.

Please verify that you have permissions to write to the parent directory.
Stream closed EOF for 70-crossplane/gcp-gcloud-8bcc8d579-vtrh5 (gcp-gcloud)

the filesystem is also missing permissions to run without being root(0) within the container

1001020000@gcp-gcloud-86d49686bb-h72pr:/$ ls -al /
total 4
dr-xr-xr-x.   1 root root         54 Dec 22 15:34 .
dr-xr-xr-x.   1 root root         54 Dec 22 15:34 ..
drwxr-xr-x.   1 root root        179 Dec 13 18:41 bin
drwxr-xr-x.   2 root root          6 Sep  3 12:10 boot
drwxr-xr-x.   5 root root        360 Dec 22 15:34 dev
drwxr-xr-x.   1 root root         31 Dec 22 15:34 etc
drwxr-xr-x.   1 root root         22 Dec 13 18:41 home
drwxr-xr-x.   1 root root         17 Dec 13 18:46 lib
drwxr-xr-x.   2 root root         34 Dec  5 00:00 lib64
drwxr-xr-x.   2 root root          6 Dec  5 00:00 media
drwxr-xr-x.   2 root root          6 Dec  5 00:00 mnt
drwxr-xr-x.   2 root root          6 Dec  5 00:00 opt
dr-xr-xr-x. 343 root root          0 Dec 22 15:34 proc
drwx------.   1 root root         19 Dec 22 15:34 root
drwxr-xr-x.   1 root root         42 Dec 22 15:34 run
drwxr-xr-x.   2 root root       4096 Dec  5 00:00 sbin
drwxrwsrwt.   3 root 1001020000  100 Dec 22 15:34 secret
drwxr-xr-x.   2 root root          6 Dec  5 00:00 srv
dr-xr-xr-x.  13 root root          0 Oct 24 13:01 sys
drwxrwxrwt.   1 root root          6 Dec 13 18:47 tmp
drwxr-xr-x.   1 root root         19 Dec  5 00:00 usr
drwxr-xr-x.   1 root root         41 Dec  5 00:00 var
1001020000@gcp-gcloud-86d49686bb-h72pr:/$ sudo -i 
bash: sudo: command not found
1001020000@gcp-gcloud-86d49686bb-h72pr:/$ mkdir /.config
mkdir: cannot create directory '/.config': Permission denied

1001020000@gcp-gcloud-86d49686bb-h72pr:/$ id
uid=1001020000(1001020000) gid=0(root) groups=0(root),1001020000

Same when trying to run as cloudsdk:cloudsdk

      securityContext:
        runAsUser: 1000
        runAsGroup: 1000

cloud-sdk-docker/debian_component_based/Dockerfile

Lines 8 to 9 in ad79554

RUN groupadd -r -g 1000 cloudsdk && \
useradd -r -u 1000 -m -s /bin/bash -g cloudsdk cloudsdk 

 - lastTransitionTime: "2022-12-22T15:54:32Z"
    lastUpdateTime: "2022-12-22T15:54:32Z"
    message: 'pods "gcp-gcloud-cli-55cf44859-" is forbidden: unable to validate against
      any security context constraint: [provider "anyuid": Forbidden: not usable by
      user or serviceaccount, spec.containers[0[].securityContext.runAsUser: Invalid
      value: 1000: must be in the ranges: [1001020000, 1001029999[], provider "nonroot":
      Forbidden: not usable by user or serviceaccount,

Related issues:

Workaround on openshift:

in openshift cli mode: oc adm policy add-scc-to-user anyuid -z default

in plain KRM

# Grant crossplane user permission to run gcloud container as root
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:openshift:scc:anyuid
subjects:
  - kind: ServiceAccount
    name: default
    namespace: my-namespace

and run pods as cloudsdk:cloudsdk

      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gberche-orange