-
Notifications
You must be signed in to change notification settings - Fork 242
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
BMO ironic has no reason to run as root. Make it run as "ironic" user. dnsmasq requires elevated capabiities. k8s is missing the feature of ambient capabilities, so it requires us to setcap the binaries with expected capabilities and container must be running with "allowPrivilegeEscalation: true" in the manifest to allow elevation. Read the ambient capabilities KEP for more details: https://github.com/kubernetes/enhancements/blob/master/keps/sig-security/2763-ambient-capabilities/README.md Add securityContext to BMO deployment manifest and keepalived component, with correct UIDs and GIDs. This is important to be able to share files via /shared. Modify keepalived image to run as ironic user, which we use the same UID and GID as the ironic-image. This commit requires ironic-image with PR metal3-io/ironic-image#410 to be merged to work.
- Loading branch information
Showing
5 changed files
with
236 additions
and
142 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
#!/bin/bash | ||
|
||
set -eux | ||
|
||
# create nonroot image matching the keepalived manifest | ||
NONROOT_USER="nonroot" | ||
NONROOT_GROUP="nonroot" | ||
NONROOT_UID=65532 | ||
NONROOT_GID=65532 | ||
|
||
# run as non-root, allow editing the keepalive.conf during startup | ||
groupadd -g "${NONROOT_GID}" "${NONROOT_GROUP}" | ||
useradd -u "${NONROOT_UID}" -g "${NONROOT_GID}" -m "${NONROOT_USER}" | ||
|
||
mkdir -p /run/keepalived | ||
chown -R root:"${NONROOT_GROUP}" /etc/keepalived /run/keepalived | ||
chmod 2775 /etc/keepalived /run/keepalived | ||
chmod 664 /etc/keepalived/keepalived.conf | ||
|
||
setcap "cap_net_raw,cap_net_broadcast,cap_net_admin=+eip" /usr/sbin/keepalived |
Oops, something went wrong.
4908f57
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just bringing this up here...
By changing this for the deployment, if you include mariadb in the pod (as per the mariadb, tls and keepalived deployment), it will fail to start as it doesn't have a securityContext set.
It'll complain about a config error first, if you try to set the same as the rest of the pod? It'll fail to log to /var/lib.
The solution is to add:
To the mariadb yaml.