From d0a1eb6f8e6e3858b94ba5008c02b6291b0a4529 Mon Sep 17 00:00:00 2001 From: Valeriy Khromov Date: Thu, 13 Aug 2020 07:43:48 -0700 Subject: [PATCH] Workaround for AWS pod identity and non-root programs AWS pod identity creates a token with `0600` permissions and `root:root`: ``` -rw------- 1 root root 1498 Aug 13 12:47 /run/secrets/eks.amazonaws.com/serviceaccount/..2020_08_13_12_47_11.793276204/token ``` This prevents programs running inside containers using a non-root account to read the token. See [1] for details. This CR working around that by adding ``` securityContext: fsGroup: 65534 ``` into the pod spec. After that the token is owned by the given group and has `0640` permissions: ``` -rw-r----- 1 root nobody 1498 Aug 13 14:20 /run/secrets/eks.amazonaws.com/serviceaccount/..2020_08_13_14_20_31.793276204/token ``` The id of the group can be changed via the `fs_group` service parameter. [1] https://github.com/aws/amazon-eks-pod-identity-webhook/issues/8 --- paasta_tools/cli/schemas/kubernetes_schema.json | 3 +++ paasta_tools/kubernetes_tools.py | 13 +++++++++++++ paasta_tools/long_running_service_tools.py | 4 ++++ 3 files changed, 20 insertions(+) diff --git a/paasta_tools/cli/schemas/kubernetes_schema.json b/paasta_tools/cli/schemas/kubernetes_schema.json index e0afedceb5..f1e1841461 100644 --- a/paasta_tools/cli/schemas/kubernetes_schema.json +++ b/paasta_tools/cli/schemas/kubernetes_schema.json @@ -539,6 +539,9 @@ "aws" ] }, + "fs_group": { + "type": "int" + }, "healthcheck_mode": { "enum": [ "cmd", diff --git a/paasta_tools/kubernetes_tools.py b/paasta_tools/kubernetes_tools.py index 6c7478199a..e1ae914ddc 100644 --- a/paasta_tools/kubernetes_tools.py +++ b/paasta_tools/kubernetes_tools.py @@ -77,6 +77,7 @@ from kubernetes.client import V1Pod from kubernetes.client import V1PodAffinityTerm from kubernetes.client import V1PodAntiAffinity +from kubernetes.client import V1PodSecurityContext from kubernetes.client import V1PodSpec from kubernetes.client import V1PodTemplateSpec from kubernetes.client import V1Probe @@ -1330,6 +1331,18 @@ def get_pod_template_spec( pod_spec_kwargs[ "service_account_name" ] = create_or_find_service_account_name(iam_role) + # PAASTA-16919: remove everything related to fs_group when + # https://github.com/aws/amazon-eks-pod-identity-webhook/issues/8 + # will be fixed. + fs_group = self.get_fs_group() + if fs_group is None: + # We need some reasoable default for group id of a process + # running inside the container. Seems like most of such + # programs run as `nobody`, let's use that as a default. + fs_group = 65534 + pod_spec_kwargs["security_context"] = V1PodSecurityContext( + fs_group=fs_group + ) else: annotations["iam.amazonaws.com/role"] = self.get_iam_role() diff --git a/paasta_tools/long_running_service_tools.py b/paasta_tools/long_running_service_tools.py index d37e4dee05..ab823fbc1c 100644 --- a/paasta_tools/long_running_service_tools.py +++ b/paasta_tools/long_running_service_tools.py @@ -32,6 +32,7 @@ class LongRunningServiceConfigDict(InstanceConfigDict, total=False): drain_method: str iam_role: str iam_role_provider: str + fs_group: int container_port: int drain_method_params: Dict healthcheck_cmd: str @@ -207,6 +208,9 @@ def get_iam_role(self) -> str: def get_iam_role_provider(self) -> str: return self.config_dict.get("iam_role_provider", "kiam") + def get_fs_group(self) -> Optional[int]: + return self.config_dict.get("fs_group") + def get_healthcheck_uri( self, service_namespace_config: ServiceNamespaceConfig ) -> str: