ceph: run operator with rook user

The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: #8734 Signed-off-by: Sébastien Han <seb@redhat.com>
rook · Sep 24, 2021 · 9745ef0 · 9745ef0
1 parent 12506c7
commit 9745ef0
Show file tree

Hide file tree

Showing 8 changed files with 27 additions and 1 deletion.
diff --git a/PendingReleaseNotes.md b/PendingReleaseNotes.md
@@ -14,3 +14,5 @@ v1.8...
   to update to a newer version before updating to Rook v1.8.
 
 ## Features
+
+- The Rook Operator and the toolbox now run under the "rook" user and does not use "root" anymore.
diff --git a/cluster/charts/rook-ceph/templates/deployment.yaml b/cluster/charts/rook-ceph/templates/deployment.yaml
@@ -26,6 +26,10 @@ spec:
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         args: ["ceph", "operator"]
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 2016
+          runAsGroup: 2016
         volumeMounts:
         - mountPath: /var/lib/rook
           name: rook-config

diff --git a/cluster/examples/kubernetes/ceph/operator-openshift.yaml b/cluster/examples/kubernetes/ceph/operator-openshift.yaml
@@ -433,6 +433,10 @@ spec:
         - name: rook-ceph-operator
           image: rook/ceph:master
           args: ["ceph", "operator"]
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 2016
+            runAsGroup: 2016
           volumeMounts:
             - mountPath: /var/lib/rook
               name: rook-config

diff --git a/cluster/examples/kubernetes/ceph/operator.yaml b/cluster/examples/kubernetes/ceph/operator.yaml
@@ -354,6 +354,10 @@ spec:
         - name: rook-ceph-operator
           image: rook/ceph:master
           args: ["ceph", "operator"]
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 2016
+            runAsGroup: 2016
           volumeMounts:
             - mountPath: /var/lib/rook
               name: rook-config

diff --git a/cluster/examples/kubernetes/ceph/toolbox.yaml b/cluster/examples/kubernetes/ceph/toolbox.yaml
@@ -22,6 +22,10 @@ spec:
           command: ["/tini"]
           args: ["-g", "--", "/usr/local/bin/toolbox.sh"]
           imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 2016
+            runAsGroup: 2016
           env:
             - name: ROOK_CEPH_USERNAME
               valueFrom:

diff --git a/images/ceph/Dockerfile b/images/ceph/Dockerfile
@@ -26,5 +26,10 @@ COPY rook toolbox.sh set-ceph-debug-level /usr/local/bin/
 COPY ceph-monitoring /etc/ceph-monitoring
 COPY rook-external /etc/rook-external/
 COPY ceph-csv-templates /etc/ceph-csv-templates
+RUN useradd rook -u 2016 # 2016 is the UID of the rook user and also the year of the first commit in the project
+RUN mkdir -p /var/lib/rook /etc/webhook
+RUN chown rook:rook /var/lib/rook /etc/webhook
+RUN chmod 755 /var/lib/rook /etc/webhook
+USER 2016
 ENTRYPOINT ["/tini", "--", "/usr/local/bin/rook"]
 CMD [""]
diff --git a/pkg/operator/ceph/cr_manager.go b/pkg/operator/ceph/cr_manager.go
@@ -53,7 +53,7 @@ import (
 )
 
 const (
-	certDir = "/etc/webhook"
+	certDir = "/etc/webhook/certs"
 )
 
 var (

diff --git a/pkg/operator/ceph/webhook.go b/pkg/operator/ceph/webhook.go
@@ -59,6 +59,9 @@ func isSecretPresent(ctx context.Context, context *clusterd.Context) (bool, erro
 
 	logger.Infof("admission webhook secret %q found", admissionControllerAppName)
 	for k, data := range s.Data {
+		if err = os.MkdirAll(certDir, 0700); err != nil {
+			return false, errors.Wrapf(err, "failed to create webhook certificate directory %q", certDir)
+		}
 		path := fmt.Sprintf("%s/%s", certDir, k)
 		err := ioutil.WriteFile(path, data, 0400)
 		if err != nil {