Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The pods started by mysql operator run as root #291

Closed
surajssd opened this issue Apr 4, 2019 · 1 comment
Closed

The pods started by mysql operator run as root #291

surajssd opened this issue Apr 4, 2019 · 1 comment
Milestone
0.3.0

Comments

@surajssd
Copy link
Contributor

surajssd commented Apr 4, 2019

The pods started by mysql operator which form the local mysql cluster, run as root. To allow the pods to run in my environment which has PSP enabled, I had to give following PSP config for it to work.

---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: mysql-cluster
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
spec:
  privileged: false
  # Required to prevent escalations to root.
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
  - KILL
  - MKNOD
  volumes:
  - 'configMap'
  - 'emptyDir'
  - 'projected'
  - 'secret'
  - 'downwardAPI'
  - 'persistentVolumeClaim'
  - 'hostPath'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
    # Forbid adding the root group.
    - min: 1
      max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
    # Forbid adding the root group.
    - min: 1
      max: 65535
  readOnlyRootFilesystem: false

If you see specifically I had to allow any user on the pod:

  runAsUser:
    rule: 'RunAsAny'

when it was following the pod would go in crashloopbackoff:

  runAsUser:
    # Require the container to run without root privileges.
    rule: 'MustRunAs'
    ranges:
    - min: 1
      max: 99999

Is there a way to run the services in all the containers to run as non-root?
@surajssd surajssd mentioned this issue Apr 4, 2019
Open
@AMecea AMecea added this to the 0.3.0 milestone Apr 4, 2019
@AMecea AMecea mentioned this issue Apr 5, 2019
Merged
AMecea added a commit that referenced this issue Apr 5, 2019
@AMecea
Don't run sidecar app as root user, fixes #291
7262815
AMecea added a commit that referenced this issue Apr 5, 2019
@AMecea
Don't run sidecar app as root user, fixes #291
fb63ffd
bluven pushed a commit to bluven/mysql-operator that referenced this issue May 5, 2019
@AMecea @bluven
Don't run sidecar app as root user, fixes bitpoke#291
ef86edb
AMecea added a commit that referenced this issue May 6, 2019
@AMecea
Don't run sidecar app as root user, fixes #291
98fa100
AMecea added a commit that referenced this issue May 6, 2019
@AMecea
Don't run sidecar app as root user, fixes #291
7511bc0
calind pushed a commit that referenced this issue May 8, 2019
@AMecea @calind
Don't run sidecar app as root user, fixes #291
9eb7325
@AMecea AMecea closed this as completed in df08155 May 10, 2019
AMecea added a commit that referenced this issue May 10, 2019
@AMecea
Don't run sidecar app as root user, fixes #291
3dcf01d
@surajssd
Copy link
Contributor Author

@AMecea this is still open presslabs/docker-orchestrator#5 can you review that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.3.0
Development

No branches or pull requests
2 participants
@surajssd @AMecea