diff --git a/PendingReleaseNotes.md b/PendingReleaseNotes.md index 5f2f97cc2f598..6c166b07ff4e2 100644 --- a/PendingReleaseNotes.md +++ b/PendingReleaseNotes.md @@ -14,3 +14,5 @@ v1.8... to update to a newer version before updating to Rook v1.8. ## Features + +- The Rook Operator and the toolbox now run under the "rook" user and does not use "root" anymore. diff --git a/cluster/charts/rook-ceph/templates/deployment.yaml b/cluster/charts/rook-ceph/templates/deployment.yaml index 2af242a26bf5e..9eb1c46077da1 100644 --- a/cluster/charts/rook-ceph/templates/deployment.yaml +++ b/cluster/charts/rook-ceph/templates/deployment.yaml @@ -26,6 +26,10 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: ["ceph", "operator"] + securityContext: + runAsNonRoot: true + runAsUser: 2016 + runAsGroup: 2016 volumeMounts: - mountPath: /var/lib/rook name: rook-config diff --git a/cluster/examples/kubernetes/ceph/operator-openshift.yaml b/cluster/examples/kubernetes/ceph/operator-openshift.yaml index e6b31635815be..0f66f4a4c9caf 100644 --- a/cluster/examples/kubernetes/ceph/operator-openshift.yaml +++ b/cluster/examples/kubernetes/ceph/operator-openshift.yaml @@ -433,6 +433,10 @@ spec: - name: rook-ceph-operator image: rook/ceph:master args: ["ceph", "operator"] + securityContext: + runAsNonRoot: true + runAsUser: 2016 + runAsGroup: 2016 volumeMounts: - mountPath: /var/lib/rook name: rook-config diff --git a/cluster/examples/kubernetes/ceph/operator.yaml b/cluster/examples/kubernetes/ceph/operator.yaml index ad1f62ded6730..7aa55247e3f1a 100644 --- a/cluster/examples/kubernetes/ceph/operator.yaml +++ b/cluster/examples/kubernetes/ceph/operator.yaml @@ -354,6 +354,10 @@ spec: - name: rook-ceph-operator image: rook/ceph:master args: ["ceph", "operator"] + securityContext: + runAsNonRoot: true + runAsUser: 2016 + runAsGroup: 2016 volumeMounts: - mountPath: /var/lib/rook name: rook-config diff --git a/cluster/examples/kubernetes/ceph/toolbox.yaml b/cluster/examples/kubernetes/ceph/toolbox.yaml index 28edc958b4bf7..e16b328e972bb 100644 --- a/cluster/examples/kubernetes/ceph/toolbox.yaml +++ b/cluster/examples/kubernetes/ceph/toolbox.yaml @@ -22,6 +22,10 @@ spec: command: ["/tini"] args: ["-g", "--", "/usr/local/bin/toolbox.sh"] imagePullPolicy: IfNotPresent + securityContext: + runAsNonRoot: true + runAsUser: 2016 + runAsGroup: 2016 env: - name: ROOK_CEPH_USERNAME valueFrom: diff --git a/images/ceph/Dockerfile b/images/ceph/Dockerfile index 56b1e731ceaae..5be85df229845 100644 --- a/images/ceph/Dockerfile +++ b/images/ceph/Dockerfile @@ -26,5 +26,10 @@ COPY rook toolbox.sh set-ceph-debug-level /usr/local/bin/ COPY ceph-monitoring /etc/ceph-monitoring COPY rook-external /etc/rook-external/ COPY ceph-csv-templates /etc/ceph-csv-templates +RUN useradd rook -u 2016 # 2016 is the UID of the rook user and also the year of the first commit in the project +RUN mkdir -p /var/lib/rook /etc/webhook +RUN chown rook:rook /var/lib/rook /etc/webhook +RUN chmod 755 /var/lib/rook /etc/webhook +USER 2016 ENTRYPOINT ["/tini", "--", "/usr/local/bin/rook"] CMD [""] diff --git a/pkg/operator/ceph/cr_manager.go b/pkg/operator/ceph/cr_manager.go index fa0f3ceb7761f..499c561d74b10 100644 --- a/pkg/operator/ceph/cr_manager.go +++ b/pkg/operator/ceph/cr_manager.go @@ -53,7 +53,7 @@ import ( ) const ( - certDir = "/etc/webhook" + certDir = "/etc/webhook/certs" ) var ( diff --git a/pkg/operator/ceph/webhook.go b/pkg/operator/ceph/webhook.go index f49a3a842801f..987bf35f7683a 100644 --- a/pkg/operator/ceph/webhook.go +++ b/pkg/operator/ceph/webhook.go @@ -59,6 +59,9 @@ func isSecretPresent(ctx context.Context, context *clusterd.Context) (bool, erro logger.Infof("admission webhook secret %q found", admissionControllerAppName) for k, data := range s.Data { + if err = os.MkdirAll(certDir, 0700); err != nil { + return false, errors.Wrapf(err, "failed to create webhook certificate directory %q", certDir) + } path := fmt.Sprintf("%s/%s", certDir, k) err := ioutil.WriteFile(path, data, 0400) if err != nil {