-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
⚠️ run BMO deployment as non-root (v2) #1242
Conversation
/hold Until we have mariadb-image PR in, and testing via dev-env completed. |
802b5f7
to
d16b95e
Compare
Mariadb PR should be good to merge, so it solves that. We still need to add support for old tags for mariadb/ironic in CI/dev-env before merging this, and then sync the release branches as necessary, and maybe then we can re-merge this. |
BMO ironic has no reason to run as root. Make it run as "ironic" user. dnsmasq requires elevated capabiities. k8s is missing the feature of ambient capabilities, so it requires us to setcap the binaries with expected capabilities and container must be running with "allowPrivilegeEscalation: true" in the manifest to allow elevation. Read the ambient capabilities KEP for more details: https://github.com/kubernetes/enhancements/blob/master/keps/sig-security/2763-ambient-capabilities/README.md Add securityContext to BMO deployment manifest and keepalived component, with correct UIDs and GIDs. This is important to be able to share files via /shared. Modify keepalived image to run as ironic user, which we use the same UID and GID as the ironic-image. This commit requires ironic-image with PR metal3-io/ironic-image#410 to be merged to work. This v2 of the PR fixes issues identified after merging 1st PR: - mariadb was missing securityContext and failed to run - keepalived changes were not backwards compatible, and due using only single tag for all versions, new image broke all release branches
d16b95e
to
ec66ee2
Compare
/test-ubuntu-integration-main /unhold |
/cc @elfosardo @kashifest @zaneb @lentzi90 /hold |
/unhold |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kashifest The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
BMO ironic has no reason to run as root. Make it run as "ironic" user.
dnsmasq requires elevated capabiities. k8s is missing the feature of ambient capabilities, so it requires us to setcap the binaries with expected capabilities and container must be running with "allowPrivilegeEscalation: true" in the manifest to allow elevation.
Read the ambient capabilities KEP for more details: https://github.com/kubernetes/enhancements/blob/master/keps/sig-security/2763-ambient-capabilities/README.md
Add securityContext to BMO deployment manifest and keepalived component, with correct UIDs and GIDs. This is important to be able to share files via /shared.
Modify keepalived image to run as ironic user, which we use the same UID and GID as the ironic-image.
This commit requires ironic-image with PR metal3-io/ironic-image#410
as well as mariadb-image PR metal3-io/mariadb-image#8
to be merged for this to work.
This v2 of the PR fixes issues identified after merging 1st PR:
NET_ADMIN
capability is not in the default capability set, and having keepalived binary havenet_admin
in its file capabilities prevents it from running if the container does not have this capability permitted.