⚠️ run BMO deployment as non-root (v2) #1242
Conversation
metal3-io-bot
added
the
size/L
|
/hold Until we have mariadb-image PR in, and testing via dev-env completed. |
metal3-io-bot
added
the
do-not-merge/hold
tuminoid
force-pushed
the
tuomo/bmo-nonroot-take2
branch
from
802b5f7
to
d16b95e
Compare
|
Mariadb PR should be good to merge, so it solves that. We still need to add support for old tags for mariadb/ironic in CI/dev-env before merging this, and then sync the release branches as necessary, and maybe then we can re-merge this. |
BMO ironic has no reason to run as root. Make it run as "ironic" user. dnsmasq requires elevated capabiities. k8s is missing the feature of ambient capabilities, so it requires us to setcap the binaries with expected capabilities and container must be running with "allowPrivilegeEscalation: true" in the manifest to allow elevation. Read the ambient capabilities KEP for more details: https://github.com/kubernetes/enhancements/blob/master/keps/sig-security/2763-ambient-capabilities/README.md Add securityContext to BMO deployment manifest and keepalived component, with correct UIDs and GIDs. This is important to be able to share files via /shared. Modify keepalived image to run as ironic user, which we use the same UID and GID as the ironic-image. This commit requires ironic-image with PR metal3-io/ironic-image#410 to be merged to work. This v2 of the PR fixes issues identified after merging 1st PR: - mariadb was missing securityContext and failed to run - keepalived changes were not backwards compatible, and due using only single tag for all versions, new image broke all release branches
tuminoid
force-pushed
the
tuomo/bmo-nonroot-take2
branch
from
d16b95e
to
ec66ee2
Compare
|
/test-ubuntu-integration-main /unhold |
metal3-io-bot
removed
the
do-not-merge/hold
|
/cc @elfosardo @kashifest @zaneb @lentzi90 /hold |
metal3-io-bot
added
the
do-not-merge/hold
|
/unhold |
metal3-io-bot
removed
the
do-not-merge/hold
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kashifest The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
metal3-io-bot
added
the
approved
BMO ironic has no reason to run as root. Make it run as "ironic" user.
dnsmasq requires elevated capabiities. k8s is missing the feature of ambient capabilities, so it requires us to setcap the binaries with expected capabilities and container must be running with "allowPrivilegeEscalation: true" in the manifest to allow elevation.
Read the ambient capabilities KEP for more details: https://github.com/kubernetes/enhancements/blob/master/keps/sig-security/2763-ambient-capabilities/README.md
Add securityContext to BMO deployment manifest and keepalived component, with correct UIDs and GIDs. This is important to be able to share files via /shared.
Modify keepalived image to run as ironic user, which we use the same UID and GID as the ironic-image.
This commit requires ironic-image with PR metal3-io/ironic-image#410
as well as mariadb-image PR metal3-io/mariadb-image#8
to be merged for this to work.
This v2 of the PR fixes issues identified after merging 1st PR:
NET_ADMINcapability is not in the default capability set, and having keepalived binary havenet_adminin its file capabilities prevents it from running if the container does not have this capability permitted.