Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[enterprise-logs] Run GEL as non-root user enterprise-logs #691

Merged
merged 2 commits into from
Sep 22, 2021
Merged

[enterprise-logs] Run GEL as non-root user enterprise-logs #691

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
96f4694
Ensure that Pods run as non-root user `enterprise-logs`
chaudum Sep 20, 2021
a736998
Bump chart enterprise-logs to version 1.1.1
chaudum Sep 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions charts/enterprise-logs/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ Entries should be ordered as follows:

Entries should include a reference to the pull request that introduced the change.

## 1.1.1

- [BUGFIX] Ensure that Pods run as non-root user `enterprise-logs` (`uid=10001,gid=10001`). #690

## 1.1.0

* [CHANGE] Updated `loki-distributed` chart dependency to `^0.37.3`. #684
Expand Down
2 changes: 1 addition & 1 deletion charts/enterprise-logs/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: "v2"
name: "enterprise-logs"
type: application
version: "1.1.0"
version: "1.1.1"
appVersion: "v1.1.0"
kubeVersion: "^1.10.0-0"
description: "Grafana Enterprise Logs"
Expand Down
5 changes: 4 additions & 1 deletion charts/enterprise-logs/templates/admin-api/deployment-admin-api.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,10 @@ spec:
priorityClassName: {{ .Values.adminApi.priorityClassName }}
{{- end }}
securityContext:
{{- toYaml .Values.adminApi.securityContext | nindent 8 }}
fsGroup: 10001
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand this correctly, this affects all containers in the Pod but I guess minio is fine with this as its user can still read the configuration that is mounted in. We need the Pod level SecurityContext to support the volumeMounts in the AdminAPI container because the Container SecurityContext doesn't affect the Pod Volumes.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right. fsGroup is only supported on the Pod spec, but not on container level. Since minio runs as root, this is ok.

vlad-diachenko marked this conversation as resolved.
Show resolved Hide resolved
initContainers:
# Taken from
# https://github.com/minio/charts/blob/a5c84bcbad884728bff5c9c23541f936d57a13b3/minio/templates/post-install-create-bucket-job.yaml
{{- if .Values.minio.enabled }}
- name: minio-mc
image: "{{ .Values.minio.mcImage.repository }}:{{ .Values.minio.mcImage.tag }}"
Expand Down Expand Up @@ -115,6 +117,7 @@ spec:
{{- toYaml .Values.adminApi.resources | nindent 12 }}
securityContext:
readOnlyRootFilesystem: true
{{- toYaml .Values.adminApi.securityContext | nindent 12 }}
env:
{{- if .Values.adminApi.env }}
{{ toYaml .Values.adminApi.env | nindent 12 }}
Expand Down
38 changes: 25 additions & 13 deletions charts/enterprise-logs/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,8 +195,10 @@ tokengen:
extraVolumes: []
# -- Additional volume mounts for Pods
extraVolumeMounts: []
# -- Run containers as user `enterprise-logs(uid=10001)`
securityContext:
runAsNonRoot: true
runAsGroup: 10001
runAsUser: 10001
fsGroup: 10001

Expand All @@ -210,14 +212,18 @@ adminApi:
labels: {}
# -- Additional annotations for the `admin-api` Deployment
annotations: {}

# -- Additional labels and annotations for the `admin-api` Service
service:
# -- Additional labels for the `admin-api` Service
labels: {}
# -- Additional annotations for the `admin-api` Service
annotations: {}
# -- Run container as user `enterprise-logs(uid=10001)`
# `fsGroup` must not be specified, because these security options are applied
# on container level not on Pod level.
securityContext:
runAsNonRoot: true
runAsGroup: 10001
runAsUser: 10001

securityContext: {}
strategy:
type: RollingUpdate

Expand Down Expand Up @@ -269,17 +275,20 @@ gateway:
labels: {}
# -- Additional annotations for the `gateway` Pod
annotations: {}

# -- Additional labels and annotations for the `gateway` Service
service:
# -- Additional labels for the `gateway` Service
labels: {}
# -- Additional annotations for the `gateway` Service
annotations: {}
# -- Run container as user `enterprise-logs(uid=10001)`
securityContext:
runAsNonRoot: true
runAsGroup: 10001
runAsUser: 10001
fsGroup: 10001

# If you want to use your own proxy URLs, set this to false.
useDefaultProxyURLs: true

securityContext: {}
strategy:
type: RollingUpdate

Expand Down Expand Up @@ -332,14 +341,17 @@ compactor:
labels: {}
# -- Additional annotations for the `compactor` Pod
annotations: {}

# -- Additional labels and annotations for the `compactor` Service
service:
# -- Additional labels for the `compactor` Service
labels: {}
# -- Additional annotations for the `compactor` Service
annotations: {}
# -- Run containers as user `enterprise-logs(uid=10001)`
securityContext:
runAsNonRoot: true
runAsGroup: 10001
runAsUser: 10001
fsGroup: 10001

securityContext: {}
strategy:
type: RollingUpdate

Expand Down Expand Up @@ -449,7 +461,7 @@ loki-distributed:
# RBAC configuration
rbac:
# -- If enabled, a PodSecurityPolicy is created
pspEnabled: false
pspEnabled: true

# -- Compactor is defined in parent chart
compactor:
Expand Down