Kiali Operator deployment in Kubernets missing security Context in Kiali CR

[Vineeth-varma]

Hi Team,

I am Using kiali Operator helm charts and I observed that kiali CR image is hard coded to run with root user,
We actually provide this configuration to kubernetes deployments to change the default behaviour.

securityContext:
  runAsUSer:
  runAsGroup:

But I didnt find a way to do this for kiali CR can anyone suggest please?

Thanks

[jmazzitelli]

I observed that kiali CR image is hard coded to run with root user,

You did not mention what version of Kiali you are using or on what Kubernetes cluster (vendor/version) you have. I will assume the latest Kiali (1.47) and Kubernetes 1.22 (I'm using Minikube 1.24 with Kubernetes v1.22).

In this case it should not be true that Kiali is "run with root user."

If by "kiali CR image" you mean the container image that is run in the Kiali Server pod, then since version v1.35 you will see that Kiali does not run as root. When the operator installs the Kiali Server deployment, it gets this:

https://github.com/kiali/kiali-operator/blob/v1.47.0/roles/default/kiali-deploy/templates/kubernetes/deployment.yaml#L58-L62

        securityContext:
          allowPrivilegeEscalation: false
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true

So it runs explicitly as non-root. This is fixed - you cannot configure the securityContext of the Kiali pod from the Kiali CR. You must run it as non-root with no privileges and no privilege escalation, as you see above.

You can see the value of your running Kiali server pod's securityContext runAsNonRoot by executing this command (assuming you installed it in istio-system namespace - change that according to your namespace if it is different):

$ kubectl get pod -n istio-system -l app.kubernetes.io/name=kiali -o jsonpath={.items[0].spec.containers[0].securityContext.runAsNonRoot}; echo
true

That will output true. You can see the full securityContext like this (remove | jq if you don't have jq installed - that just nicely formats the output).

$ kubectl get pod -n istio-system -l app.kubernetes.io/name=kiali -o jsonpath={.items[0].spec.containers[0].securityContext} | jq
{
  "allowPrivilegeEscalation": false,
  "privileged": false,
  "readOnlyRootFilesystem": true,
  "runAsNonRoot": true
}

FYI: This behavior changed in v1.35 (as you see here in this commit). So if you are using Kiali 1.34 or below, then you need to upgrade to at least Kiali v1.35 to get this non-root securityContext.

And just for completeness, the operator also runs as non-root. Run this command to see that (note: I installed the operator in kiali-operator namespace - change that namespace if yours is different):

$ kubectl get pod -n kiali-operator -l app.kubernetes.io/name=kiali-operator -o jsonpath={.items[0].spec.containers[0].securityContext.runAsNonRoot}; echo
true

[Vineeth-varma]

Thank you very much for the info @jmazzitelli