-
Notifications
You must be signed in to change notification settings - Fork 266
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use securitycontext with the *-check pods #400
Comments
Hey @davidkarlsen! Thanks for reporting in. We finally got Kuberhealthy listed as a private repository and people can use @jdowni000 is working on adding security scans for Dockerfiles in issue #401 (already in progress but no issue existed). I also created issue #402 to explicitly track the migration of all images to non-root users. |
please note that securityContext != securityScan - and Kubernetes does not really care about the The securityContext controls the UID of the process and would fix the issue I reported. Also I can recommend running the container with |
As a happy OpenShift (OCP) user I thought i would add some extra input, was just going to create a issue about this. Error creating: pods "ds-check-daemonset-1586161692-1586161705-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1000670000, 1000679999]] I agree that I think that you should write a securityContext but we should put it ether as Or make it configurable through a env or something like that. |
as long as it's in a section in the values.yaml the end-user can easily set it to the configuration they want. |
Oh, I see. So fixing #401 and #402 were not particularly helpful for fixing this issue. It does appear that kubernetes will always run pods as root, even if the So then, it seems like the best fix here is to add the following to all of our Under main pod spec (pod security context):
In the check container spec (within pod spec security context):
(I also threw in the @2infinitee could you check this one out? |
Now stuff went a bit to quick. Even if you change the sercuritContext and make it harder to break out of the container itself you still shouldn't run a container as root since it still give potential hackers to play around way to much in the container itself. |
I haven't thought about this earlier but I hit the issue when i reinstalled one of my clusters. https://docs.openshift.com/container-platform/4.3/authentication/managing-security-context-constraints.html#security-context-constraints-example_configuring-internal-oauth scroll down to the "Without explicit runAsUser setting" and you will see a explanation plus this: "The admission plug-in will look for the openshift.io/sa.scc.uid-range annotation on the current project to populate range fields, as it does not provide this range. In the end, a container will have runAsUser equal to the first value of the range that is hard to predict because every project has different ranges." More or less if we force securityContext.runAsUser on all pods it will be rather hard to use from my point of view. Ideally we should come up with a solution where we can send config to the final pod being created and not just the deployment/job/ds etc and not use environment variabels since it wont scale for long. I currently don't have a good idea have to achieve that. |
I potentially came up with an idea on how to easily send data to the images we should start without having to rewrite big parts of the kuberhealthy and we can still be backwards compatible. I think the solution is that we add a feature to all the checks to take a configmap as input that contains a good old pod config. We add the feature in the CRD to take the name of a configmap as input. For example lets say that we want to have more memory in my pod apiVersion: v1
We can parse the config file with help of the k8s lib and check vs the defaults that we have written in the code. If the differ we just change them. We are still backwards compatible since we don't need to get any configmap and the ENV config that we can send in can still overwrite the configmap. We can also overwrite any default values that we want. For example: securityContext: {} What do you think? |
@NissesSenap thanks for the suggestions, I'll take this back to the team and see what inputs they have as well. |
Closing issue. Changes have been merged. |
Describe the feature you would like and why you want it
The checker pods fails our pod security policy because they run as priv. user.
Additional context
The text was updated successfully, but these errors were encountered: