Run GlanceAPI with GlanceUID user

When the backend is not Cinder (Cinder still has to be fully tested), GlanceAPI can reduce the permissions required for glance-api container, and run as GlanceUID/GlanceGID. This patch introduces scc for both glanceAPI and Httpd. Signed-off-by: Francesco Pantano <[email protected]>
openstack-k8s-operators · Aug 20, 2024 · 36a35e7 · 36a35e7
1 parent c05e854
commit 36a35e7
Show file tree

Hide file tree

Showing 6 changed files with 56 additions and 28 deletions.
diff --git a/pkg/glance/funcs.go b/pkg/glance/funcs.go
@@ -41,10 +41,14 @@ func dbSyncSecurityContext() *corev1.SecurityContext {
 // Pods as root user, and we drop privileges and Capabilities we don't need
 func BaseSecurityContext() *corev1.SecurityContext {
 	falseVal := true
+	trueVal := true
 	runAsUser := int64(GlanceUID)
+	runAsGroup := int64(GlanceGID)
 
 	return &corev1.SecurityContext{
 		RunAsUser:                &runAsUser,
+		RunAsGroup:               &runAsGroup,
+		RunAsNonRoot:             &trueVal,
 		AllowPrivilegeEscalation: &falseVal,
 		Capabilities: &corev1.Capabilities{
 			Drop: []corev1.Capability{
@@ -57,11 +61,34 @@ func BaseSecurityContext() *corev1.SecurityContext {
 	}
 }
 
+// APISecurityContext -
+func APISecurityContext(userID int64, privileged bool) *corev1.SecurityContext {
+	runAsUser := int64(userID)
+	trueVal := true
+	return &corev1.SecurityContext{
+		AllowPrivilegeEscalation: &trueVal,
+		RunAsUser:                &runAsUser,
+		Privileged:               &privileged,
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+	}
+}
+
 // HttpdSecurityContext -
 func HttpdSecurityContext() *corev1.SecurityContext {
-
-	runAsUser := int64(GlanceUID)
+	runAsUser := int64(0)
+	falseVal := false
 	return &corev1.SecurityContext{
+		AllowPrivilegeEscalation: &falseVal,
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{
+				"ALL",
+			},
+		},
 		RunAsUser: &runAsUser,
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
 	}
 }
diff --git a/pkg/glanceapi/statefulset.go b/pkg/glanceapi/statefulset.go
@@ -39,7 +39,7 @@ import (
 
 const (
 	// GlanceAPIServiceCommand -
-	GlanceAPIServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	GlanceAPIServiceCommand = "/usr/local/bin/kolla_start"
 	// GlanceAPIHttpdCommand -
 	GlanceAPIHttpdCommand = "/usr/sbin/httpd -DFOREGROUND"
 )
@@ -52,10 +52,11 @@ func StatefulSet(
 	annotations map[string]string,
 	privileged bool,
 ) (*appsv1.StatefulSet, error) {
-	runAsUser := int64(0)
-
+	userID := glance.GlanceUID
+	if privileged {
+		userID = int64(0)
+	}
 	var config0644AccessMode int32 = 0644
-
 	startupProbe := &corev1.Probe{
 		FailureThreshold: 6,
 		PeriodSeconds:    10,
@@ -257,16 +258,14 @@ func StatefulSet(
 								"-c",
 								string(GlanceAPIHttpdCommand),
 							},
-							Image: instance.Spec.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
-							},
-							Env:            env.MergeEnvs([]corev1.EnvVar{}, envVars),
-							VolumeMounts:   httpdVolumeMount,
-							Resources:      instance.Spec.Resources,
-							StartupProbe:   startupProbe,
-							ReadinessProbe: readinessProbe,
-							LivenessProbe:  livenessProbe,
+							Image:           instance.Spec.ContainerImage,
+							SecurityContext: glance.HttpdSecurityContext(),
+							Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
+							VolumeMounts:    httpdVolumeMount,
+							Resources:       instance.Spec.Resources,
+							StartupProbe:    startupProbe,
+							ReadinessProbe:  readinessProbe,
+							LivenessProbe:   livenessProbe,
 						},
 						{
 							Name: glance.ServiceName + "-api",
@@ -280,12 +279,9 @@ func StatefulSet(
 								"-c",
 								string(GlanceAPIServiceCommand),
 							},
-							Image: instance.Spec.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser:  &runAsUser,
-								Privileged: &privileged,
-							},
-							Env: env.MergeEnvs([]corev1.EnvVar{}, envVars),
+							Image:           instance.Spec.ContainerImage,
+							SecurityContext: glance.APISecurityContext(userID, privileged),
+							Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts: append(glance.GetVolumeMounts(
 								instance.Spec.CustomServiceConfigSecrets,
 								privileged,

diff --git a/templates/glanceapi/config/glance-api-config.json b/templates/glanceapi/config/glance-api-config.json
@@ -4,20 +4,20 @@
       {
         "source": "/var/lib/config-data/default/00-config.conf",
         "dest": "/etc/glance/glance.conf.d/00-config.conf",
-        "owner": "glance",
+        "owner": "glance:glance",
         "perm": "0600"
       },
       {
         "source": "/var/lib/config-data/default/02-config.conf",
         "dest": "/etc/glance/glance.conf.d/02-config.conf",
-        "owner": "glance",
+        "owner": "glance:glance",
         "perm": "0600",
         "optional": true
       },
       {
         "source": "/var/lib/config-data/default/03-config.conf",
         "dest": "/etc/glance/glance.conf.d/03-config.conf",
-        "owner": "glance",
+        "owner": "glance:glance",
         "perm": "0640",
         "optional": true
       },
@@ -84,6 +84,11 @@
             "path": "/var/log/glance",
             "owner": "glance:glance",
             "recurse": true
+        },
+        {
+            "path": "/etc/glance/glance.conf.d",
+            "owner": "glance:glance",
+            "recurse": true
         }
     ]
 }
diff --git a/test/kuttl/tests/glance_single/01-assert.yaml b/test/kuttl/tests/glance_single/01-assert.yaml
@@ -77,7 +77,7 @@ spec:
         - --
         - /bin/bash
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         command:
         - /usr/bin/dumb-init
         name: glance-api

diff --git a/test/kuttl/tests/glance_single_tls/01-assert.yaml b/test/kuttl/tests/glance_single_tls/01-assert.yaml
@@ -106,7 +106,7 @@ spec:
         - --
         - /bin/bash
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         volumeMounts:
          - mountPath: /var/lib/config-data/default
            name: config-data

diff --git a/test/kuttl/tests/glance_split/01-assert.yaml b/test/kuttl/tests/glance_split/01-assert.yaml
@@ -90,7 +90,7 @@ spec:
         - --
         - /bin/bash
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         command:
         - /usr/bin/dumb-init
         name: glance-api