Run as non-privilege and non-root user

This changeset set `securityContext` as non-privilege and non-root user for IDS controller, prometheus, and kibana pods. It fixes an enterprise component developmend issue on CIS profile hardened RKE2 cluster. When the container is running as root or non-numeric user (nobody or kibana), it failed non-root validation.
tigera · Jun 22, 2022 · 1a69e50 · 1a69e50
1 parent 7c34764
commit 1a69e50
Show file tree

Hide file tree

Showing 12 changed files with 86 additions and 38 deletions.
diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go
@@ -34,9 +34,9 @@ import (
 	"github.com/tigera/operator/pkg/ptr"
 	rmeta "github.com/tigera/operator/pkg/render/common/meta"
 	"github.com/tigera/operator/pkg/render/common/podaffinity"
-	"github.com/tigera/operator/pkg/render/common/podsecuritycontext"
 	"github.com/tigera/operator/pkg/render/common/podsecuritypolicy"
 	"github.com/tigera/operator/pkg/render/common/secret"
+	"github.com/tigera/operator/pkg/render/common/securitycontext"
 	"github.com/tigera/operator/pkg/tls/certificatemanagement"
 )
 
@@ -933,7 +933,7 @@ func (c *apiServerComponent) queryServerContainer() corev1.Container {
 			InitialDelaySeconds: 90,
 			PeriodSeconds:       10,
 		},
-		SecurityContext: podsecuritycontext.NewBaseContext(),
+		SecurityContext: securitycontext.NewBaseContext(),
 	}
 	return container
 }

diff --git a/pkg/render/aws-securitygroup-setup.go b/pkg/render/aws-securitygroup-setup.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 Tigera, Inc. All rights reserved.
+// Copyright (c) 2019,2022 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -25,7 +25,7 @@ import (
 	"github.com/tigera/operator/pkg/common"
 	"github.com/tigera/operator/pkg/components"
 	rmeta "github.com/tigera/operator/pkg/render/common/meta"
-	"github.com/tigera/operator/pkg/render/common/podsecuritycontext"
+	"github.com/tigera/operator/pkg/render/common/securitycontext"
 )
 
 func AWSSecurityGroupSetup(cfg *AWSSGSetupConfiguration) (Component, error) {
@@ -110,7 +110,7 @@ func (c *awsSGSetupComponent) setupJob() *batchv1.Job {
 								Value: "/etc/kubernetes/kubeconfig",
 							},
 						},
-						SecurityContext: podsecuritycontext.NewBaseContext(),
+						SecurityContext: securitycontext.NewBaseContext(),
 					}},
 				},
 			},

diff --git a/pkg/render/common/podsecuritycontext/pod_security_context.go b/pkg/render/common/podsecuritycontext/pod_security_context.go
diff --git a/pkg/render/common/securitycontext/security_context.go b/pkg/render/common/securitycontext/security_context.go
@@ -0,0 +1,49 @@
+// Copyright (c) 2021-2022 Tigera, Inc. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package securitycontext
+
+import (
+	corev1 "k8s.io/api/core/v1"
+
+	"github.com/tigera/operator/pkg/ptr"
+)
+
+var (
+	// It is recommended to choose UID and GID that don't collide with existing system users and groups.
+	// Non-system UID and GID range is normally from 1000 to 60000 (Debian derived systems define this
+	// in /etc/login.defs). On a normal Linux host, it is unlikely to have more than 10k non-system users.
+	// 10001 is chosen based on this assumption.
+	RunAsUserID  int64 = 10001
+	RunAsGroupID int64 = 10001
+)
+
+// NewBaseContext returns the non root non privileged security context that most of the containers running should
+// be using.
+func NewBaseContext() *corev1.SecurityContext {
+	return &corev1.SecurityContext{
+		AllowPrivilegeEscalation: ptr.BoolToPtr(false),
+		Privileged:               ptr.BoolToPtr(false),
+		RunAsNonRoot:             ptr.BoolToPtr(true),
+	}
+}
+
+// NewNonPriviledgedUserContext returns the base context with a default user and group.
+func NewNonPrivilegedUserContext() *corev1.SecurityContext {
+	sc := NewBaseContext()
+	sc.RunAsUser = &RunAsUserID
+	sc.RunAsGroup = &RunAsGroupID
+
+	return sc
+}
diff --git a/pkg/render/dex.go b/pkg/render/dex.go
@@ -24,8 +24,8 @@ import (
 	"github.com/tigera/operator/pkg/components"
 	rmeta "github.com/tigera/operator/pkg/render/common/meta"
 	"github.com/tigera/operator/pkg/render/common/podaffinity"
-	"github.com/tigera/operator/pkg/render/common/podsecuritycontext"
 	"github.com/tigera/operator/pkg/render/common/secret"
+	"github.com/tigera/operator/pkg/render/common/securitycontext"
 	"github.com/tigera/operator/pkg/tls/certificatemanagement"
 	"gopkg.in/yaml.v2"
 
@@ -220,7 +220,7 @@ func (c *dexComponent) deployment() client.Object {
 							Image:           c.image,
 							Env:             c.cfg.DexConfig.RequiredEnv(""),
 							LivenessProbe:   c.probe(),
-							SecurityContext: podsecuritycontext.NewBaseContext(),
+							SecurityContext: securitycontext.NewBaseContext(),
 
 							Command: []string{"/usr/local/bin/dex", "serve", "/etc/dex/baseCfg/config.yaml"},
 

diff --git a/pkg/render/guardian.go b/pkg/render/guardian.go
@@ -27,8 +27,8 @@ import (
 	operatorv1 "github.com/tigera/operator/api/v1"
 	"github.com/tigera/operator/pkg/components"
 	rmeta "github.com/tigera/operator/pkg/render/common/meta"
-	"github.com/tigera/operator/pkg/render/common/podsecuritycontext"
 	"github.com/tigera/operator/pkg/render/common/secret"
+	"github.com/tigera/operator/pkg/render/common/securitycontext"
 	"github.com/tigera/operator/pkg/tls/certificatemanagement"
 )
 
@@ -268,7 +268,7 @@ func (c *GuardianComponent) container() []corev1.Container {
 				InitialDelaySeconds: 10,
 				PeriodSeconds:       5,
 			},
-			SecurityContext: podsecuritycontext.NewBaseContext(),
+			SecurityContext: securitycontext.NewBaseContext(),
 		},
 	}
 }

diff --git a/pkg/render/intrusion_detection.go b/pkg/render/intrusion_detection.go
@@ -34,11 +34,13 @@ import (
 	operatorv1 "github.com/tigera/operator/api/v1"
 	"github.com/tigera/operator/pkg/components"
 	"github.com/tigera/operator/pkg/dns"
+	"github.com/tigera/operator/pkg/ptr"
 	relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch"
 	rkibana "github.com/tigera/operator/pkg/render/common/kibana"
 	rmeta "github.com/tigera/operator/pkg/render/common/meta"
 	"github.com/tigera/operator/pkg/render/common/podsecuritypolicy"
 	"github.com/tigera/operator/pkg/render/common/secret"
+	"github.com/tigera/operator/pkg/render/common/securitycontext"
 	"github.com/tigera/operator/pkg/tls/certificatemanagement"
 	"github.com/tigera/operator/pkg/url"
 )
@@ -532,7 +534,7 @@ func (c *intrusionDetectionComponent) intrusionDetectionControllerContainer() co
 		},
 	}
 
-	privileged := false
+	sc := securitycontext.NewNonPrivilegedUserContext()
 
 	// If syslog forwarding is enabled then set the necessary ENV var and volume mount to
 	// write logs for Fluentd.
@@ -547,7 +549,7 @@ func (c *intrusionDetectionComponent) intrusionDetectionControllerContainer() co
 		// On OpenShift, if we need the volume mount to hostpath volume for syslog forwarding,
 		// then ID controller needs privileged access to write event logs to that volume
 		if c.cfg.Openshift {
-			privileged = true
+			sc.Privileged = ptr.BoolToPtr(true)
 		}
 	}
 
@@ -567,10 +569,8 @@ func (c *intrusionDetectionComponent) intrusionDetectionControllerContainer() co
 			},
 			InitialDelaySeconds: 5,
 		},
-		SecurityContext: &corev1.SecurityContext{
-			Privileged: &privileged,
-		},
-		VolumeMounts: volumeMounts,
+		SecurityContext: sc,
+		VolumeMounts:    volumeMounts,
 	}
 }
 

diff --git a/pkg/render/logstorage.go b/pkg/render/logstorage.go
@@ -49,6 +49,7 @@ import (
 	"github.com/tigera/operator/pkg/render/common/podaffinity"
 	"github.com/tigera/operator/pkg/render/common/podsecuritypolicy"
 	"github.com/tigera/operator/pkg/render/common/secret"
+	"github.com/tigera/operator/pkg/render/common/securitycontext"
 	"github.com/tigera/operator/pkg/tls/certificatemanagement"
 )
 
@@ -1270,7 +1271,8 @@ func (es elasticsearchComponent) kibanaCR() *kbv1.Kibana {
 								},
 							},
 						},
-						VolumeMounts: volumeMounts,
+						SecurityContext: securitycontext.NewNonPrivilegedUserContext(),
+						VolumeMounts:    volumeMounts,
 					}},
 					Volumes: volumes,
 				},

diff --git a/pkg/render/manager.go b/pkg/render/manager.go
@@ -32,9 +32,9 @@ import (
 	rkibana "github.com/tigera/operator/pkg/render/common/kibana"
 	rmeta "github.com/tigera/operator/pkg/render/common/meta"
 	"github.com/tigera/operator/pkg/render/common/podaffinity"
-	"github.com/tigera/operator/pkg/render/common/podsecuritycontext"
 	"github.com/tigera/operator/pkg/render/common/podsecuritypolicy"
 	"github.com/tigera/operator/pkg/render/common/secret"
+	"github.com/tigera/operator/pkg/render/common/securitycontext"
 	"github.com/tigera/operator/pkg/tls/certificatemanagement"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -349,7 +349,7 @@ func (c *managerComponent) managerContainer() corev1.Container {
 		Image:           c.managerImage,
 		Env:             c.managerEnvVars(),
 		LivenessProbe:   c.managerProbe(),
-		SecurityContext: podsecuritycontext.NewBaseContext(),
+		SecurityContext: securitycontext.NewBaseContext(),
 		VolumeMounts:    c.managerVolumeMounts(),
 	}
 
@@ -422,7 +422,7 @@ func (c *managerComponent) managerProxyContainer() corev1.Container {
 		Env:             env,
 		VolumeMounts:    c.volumeMountsForProxyManager(),
 		LivenessProbe:   c.managerProxyProbe(),
-		SecurityContext: podsecuritycontext.NewBaseContext(),
+		SecurityContext: securitycontext.NewBaseContext(),
 	}
 }
 
@@ -460,7 +460,7 @@ func (c *managerComponent) managerEsProxyContainer() corev1.Container {
 		Name:            "tigera-es-proxy",
 		Image:           c.esProxyImage,
 		LivenessProbe:   c.managerEsProxyProbe(),
-		SecurityContext: podsecuritycontext.NewBaseContext(),
+		SecurityContext: securitycontext.NewBaseContext(),
 		Env:             env,
 		VolumeMounts:    volumeMounts,
 	}

diff --git a/pkg/render/monitor/monitor.go b/pkg/render/monitor/monitor.go
@@ -28,6 +28,7 @@ import (
 	"github.com/tigera/operator/pkg/render/common/configmap"
 	rmeta "github.com/tigera/operator/pkg/render/common/meta"
 	"github.com/tigera/operator/pkg/render/common/secret"
+	"github.com/tigera/operator/pkg/render/common/securitycontext"
 	"github.com/tigera/operator/pkg/render/logstorage/esmetrics"
 	"github.com/tigera/operator/pkg/tls/certificatemanagement"
 
@@ -236,6 +237,11 @@ func (mc *monitorComponent) alertmanager() *monitoringv1.Alertmanager {
 			Version:          components.ComponentCoreOSAlertmanager.Version,
 			Tolerations:      mc.cfg.Installation.ControlPlaneTolerations,
 			NodeSelector:     mc.cfg.Installation.ControlPlaneNodeSelector,
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsGroup:   &securitycontext.RunAsGroupID,
+				RunAsNonRoot: ptr.BoolToPtr(true),
+				RunAsUser:    &securitycontext.RunAsUserID,
+			},
 		},
 	}
 }
@@ -388,6 +394,11 @@ func (mc *monitorComponent) prometheus() *monitoringv1.Prometheus {
 					},
 				},
 			},
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsGroup:   &securitycontext.RunAsGroupID,
+				RunAsNonRoot: ptr.BoolToPtr(true),
+				RunAsUser:    &securitycontext.RunAsUserID,
+			},
 		},
 	}
 }

diff --git a/pkg/render/packet_capture_api.go b/pkg/render/packet_capture_api.go
@@ -28,8 +28,8 @@ import (
 	"github.com/tigera/operator/pkg/render/common/authentication"
 	"github.com/tigera/operator/pkg/render/common/configmap"
 	rmeta "github.com/tigera/operator/pkg/render/common/meta"
-	"github.com/tigera/operator/pkg/render/common/podsecuritycontext"
 	"github.com/tigera/operator/pkg/render/common/secret"
+	"github.com/tigera/operator/pkg/render/common/securitycontext"
 	"github.com/tigera/operator/pkg/tls/certificatemanagement"
 )
 
@@ -263,7 +263,7 @@ func (pc *packetCaptureApiComponent) container() corev1.Container {
 		Image:           pc.image,
 		LivenessProbe:   pc.healthProbe(),
 		ReadinessProbe:  pc.healthProbe(),
-		SecurityContext: podsecuritycontext.NewBaseContext(),
+		SecurityContext: securitycontext.NewBaseContext(),
 		Env:             env,
 		VolumeMounts:    volumeMounts,
 	}

diff --git a/pkg/render/packetcapture_api_test.go b/pkg/render/packetcapture_api_test.go
@@ -187,8 +187,9 @@ var _ = Describe("Rendering tests for PacketCapture API component", func() {
 				Name:  render.PacketCaptureContainerName,
 				Image: fmt.Sprintf("%s%s:%s", components.TigeraRegistry, components.ComponentPacketCapture.Image, components.ComponentPacketCapture.Version),
 				SecurityContext: &corev1.SecurityContext{
-					RunAsNonRoot:             ptr.BoolToPtr(true),
 					AllowPrivilegeEscalation: ptr.BoolToPtr(false),
+					Privileged:               ptr.BoolToPtr(false),
+					RunAsNonRoot:             ptr.BoolToPtr(true),
 				},
 				ReadinessProbe: &corev1.Probe{
 					Handler: corev1.Handler{