Workaround for AWS pod identity and non-root programs

AWS pod identity creates a token with `0600` permissions and `root:root`: ``` -rw------- 1 root root 1498 Aug 13 12:47 /run/secrets/eks.amazonaws.com/serviceaccount/..2020_08_13_12_47_11.793276204/token ``` This prevents programs running inside containers using a non-root account to read the token. See [1] for details. This CR working around that by adding ``` securityContext: fsGroup: 65534 ``` into the pod spec. After that the token is owned by the given group and has `0640` permissions: ``` -rw-r----- 1 root nobody 1498 Aug 13 14:20 /run/secrets/eks.amazonaws.com/serviceaccount/..2020_08_13_14_20_31.793276204/token ``` The id of the group can be changed via the `fs_group` service parameter. [1] aws/amazon-eks-pod-identity-webhook#8
Yelp · Aug 13, 2020 · d0a1eb6 · d0a1eb6
1 parent 0001f4f
commit d0a1eb6
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 0 deletions.
diff --git a/paasta_tools/cli/schemas/kubernetes_schema.json b/paasta_tools/cli/schemas/kubernetes_schema.json
@@ -539,6 +539,9 @@
                         "aws"
                     ]
                 },
+                "fs_group": {
+                    "type": "int"
+                },
                 "healthcheck_mode": {
                     "enum": [
                         "cmd",

diff --git a/paasta_tools/kubernetes_tools.py b/paasta_tools/kubernetes_tools.py
@@ -77,6 +77,7 @@
 from kubernetes.client import V1Pod
 from kubernetes.client import V1PodAffinityTerm
 from kubernetes.client import V1PodAntiAffinity
+from kubernetes.client import V1PodSecurityContext
 from kubernetes.client import V1PodSpec
 from kubernetes.client import V1PodTemplateSpec
 from kubernetes.client import V1Probe
@@ -1330,6 +1331,18 @@ def get_pod_template_spec(
                 pod_spec_kwargs[
                     "service_account_name"
                 ] = create_or_find_service_account_name(iam_role)
+                # PAASTA-16919: remove everything related to fs_group when
+                # https://github.com/aws/amazon-eks-pod-identity-webhook/issues/8
+                # will be fixed.
+                fs_group = self.get_fs_group()
+                if fs_group is None:
+                    # We need some reasoable default for group id of a process
+                    # running inside the container.  Seems like most of such
+                    # programs run as `nobody`, let's use that as a default.
+                    fs_group = 65534
+                pod_spec_kwargs["security_context"] = V1PodSecurityContext(
+                    fs_group=fs_group
+                )
         else:
             annotations["iam.amazonaws.com/role"] = self.get_iam_role()
 

diff --git a/paasta_tools/long_running_service_tools.py b/paasta_tools/long_running_service_tools.py
@@ -32,6 +32,7 @@ class LongRunningServiceConfigDict(InstanceConfigDict, total=False):
     drain_method: str
     iam_role: str
     iam_role_provider: str
+    fs_group: int
     container_port: int
     drain_method_params: Dict
     healthcheck_cmd: str
@@ -207,6 +208,9 @@ def get_iam_role(self) -> str:
     def get_iam_role_provider(self) -> str:
         return self.config_dict.get("iam_role_provider", "kiam")
 
+    def get_fs_group(self) -> Optional[int]:
+        return self.config_dict.get("fs_group")
+
     def get_healthcheck_uri(
         self, service_namespace_config: ServiceNamespaceConfig
     ) -> str: