Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix stanley_rsa permissions via postStart pod lifecycle hook #219

Merged
merged 7 commits into from
Jul 10, 2021
Merged

Fix stanley_rsa permissions via postStart pod lifecycle hook #219

merged 7 commits into from
Jul 10, 2021

Conversation

cognifloyd
Copy link
Member

@cognifloyd cognifloyd commented Jul 8, 2021
edited

I extracted this change from #206.

Use the postStart lifecycle event in st2actionrunner and st2client pods to correct file permissions on the stanley ssh private key.
Includes a test to ensure the key permissions are correct.

see:
https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/

  • Fix stanley_rsa file permissions with postStart lifecycle hook script for st2actionrunner and st2client
  • bash needs to run the script directly not with -c
  • make the ssh key writable so we can change permissions at runtime
  • mount ssh-key to separate directory, cp, and fix permissions
  • add test for stanley_rsa file ownership
  • use st2 as test intermediary
  • add changelog entry

Fixes #84

@pull-request-size pull-request-size bot added the size/M PR that changes 30-99 lines. Good size to review. label Jul 8, 2021
@cognifloyd cognifloyd added enhancement New feature or request RFR security labels Jul 8, 2021
@cognifloyd cognifloyd mentioned this pull request Jul 8, 2021
Merged
This was referenced Jul 8, 2021
Merged
Closed
@cognifloyd cognifloyd requested a review from arm4b July 8, 2021 02:14
arm4b
arm4b reviewed Jul 10, 2021
View reviewed changes
tests/st2tests.sh
@@ -52,6 +52,18 @@ load "${BATS_HELPERS_DIR}/bats-file/load.bash"
assert_line --partial 'succeeded: true'
}

@test 'stanley_rsa file has correct permissions and ownership' {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Thanks for the tests!

arm4b
arm4b approved these changes Jul 10, 2021
View reviewed changes
Copy link
Member

@arm4b arm4b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's an elegant solution, thanks for contributing this fix 👍

@arm4b arm4b merged commit b2d31f3 into StackStorm:master Jul 10, 2021
@cognifloyd cognifloyd removed the RFR label Jul 10, 2021
@cognifloyd cognifloyd deleted the stanley_rsa-permissions branch November 11, 2021 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arm4b arm4b arm4b approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request security size/M PR that changes 30-99 lines. Good size to review.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

stanley_rsa is owned by root:root instead of stanley user in k8s
2 participants
@cognifloyd @arm4b