From 4f61b6bfdc3c4d802ecd7d9c57d0791a12da268b Mon Sep 17 00:00:00 2001 From: Francesco Pantano Date: Tue, 20 Aug 2024 14:28:28 +0200 Subject: [PATCH] Run GlanceAPI with GlanceUID user When the backend is not Cinder (Cinder still has to be fully tested), GlanceAPI can reduce the permissions required for glance-api container, and run as GlanceUID/GlanceGID. This patch introduces scc for both glanceAPI and Httpd. Signed-off-by: Francesco Pantano --- controllers/glanceapi_controller.go | 6 ++++ pkg/glance/funcs.go | 33 +++++++++++++++++-- pkg/glanceapi/statefulset.go | 30 +++++++---------- .../glanceapi/config/glance-api-config.json | 16 +++++++-- 4 files changed, 61 insertions(+), 24 deletions(-) diff --git a/controllers/glanceapi_controller.go b/controllers/glanceapi_controller.go index f35d43d0..2ddd41e2 100644 --- a/controllers/glanceapi_controller.go +++ b/controllers/glanceapi_controller.go @@ -800,6 +800,12 @@ func (r *GlanceAPIReconciler) reconcileNormal( // we can mark the ServiceConfigReady as True and rollout the new pods instance.Status.Conditions.MarkTrue(condition.ServiceConfigReadyCondition, condition.ServiceConfigReadyMessage) + // This is currently required because cleaner and pruner cronJobs + // mount the same pvc to clean data present in /var/lib/glance/image-cache + if len(instance.Spec.ImageCache.Size) > 0 { + privileged = true + } + // Define a new StatefuleSet object deplDef, err := glanceapi.StatefulSet(instance, inputHash, diff --git a/pkg/glance/funcs.go b/pkg/glance/funcs.go index b20198ba..78767150 100644 --- a/pkg/glance/funcs.go +++ b/pkg/glance/funcs.go @@ -40,11 +40,15 @@ func dbSyncSecurityContext() *corev1.SecurityContext { // BaseSecurityContext - currently used to make sure we don't run cronJob and Log // Pods as root user, and we drop privileges and Capabilities we don't need func BaseSecurityContext() *corev1.SecurityContext { - falseVal := true + falseVal := false + trueVal := true runAsUser := int64(GlanceUID) + runAsGroup := int64(GlanceGID) return &corev1.SecurityContext{ RunAsUser: &runAsUser, + RunAsGroup: &runAsGroup, + RunAsNonRoot: &trueVal, AllowPrivilegeEscalation: &falseVal, Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{ @@ -57,11 +61,34 @@ func BaseSecurityContext() *corev1.SecurityContext { } } +// APISecurityContext - +func APISecurityContext(userID int64, privileged bool) *corev1.SecurityContext { + runAsUser := int64(userID) + trueVal := true + return &corev1.SecurityContext{ + AllowPrivilegeEscalation: &trueVal, + RunAsUser: &runAsUser, + Privileged: &privileged, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + } +} + // HttpdSecurityContext - func HttpdSecurityContext() *corev1.SecurityContext { - - runAsUser := int64(GlanceUID) + runAsUser := int64(0) + falseVal := false return &corev1.SecurityContext{ + AllowPrivilegeEscalation: &falseVal, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "ALL", + }, + }, RunAsUser: &runAsUser, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, } } diff --git a/pkg/glanceapi/statefulset.go b/pkg/glanceapi/statefulset.go index 0d73dde4..63f00063 100644 --- a/pkg/glanceapi/statefulset.go +++ b/pkg/glanceapi/statefulset.go @@ -50,8 +50,7 @@ func StatefulSet( annotations map[string]string, privileged bool, ) (*appsv1.StatefulSet, error) { - runAsUser := int64(0) - + userID := glance.GlanceUID startupProbe := &corev1.Probe{ FailureThreshold: 6, PeriodSeconds: 10, @@ -220,16 +219,14 @@ func StatefulSet( "-c", string(GlanceServiceCommand), }, - Image: instance.Spec.ContainerImage, - SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, - }, - Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), - VolumeMounts: httpdVolumeMount, - Resources: instance.Spec.Resources, - StartupProbe: startupProbe, - ReadinessProbe: readinessProbe, - LivenessProbe: livenessProbe, + Image: instance.Spec.ContainerImage, + SecurityContext: glance.HttpdSecurityContext(), + Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), + VolumeMounts: httpdVolumeMount, + Resources: instance.Spec.Resources, + StartupProbe: startupProbe, + ReadinessProbe: readinessProbe, + LivenessProbe: livenessProbe, }, { Name: glance.ServiceName + "-api", @@ -243,12 +240,9 @@ func StatefulSet( "-c", string(GlanceServiceCommand), }, - Image: instance.Spec.ContainerImage, - SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, - Privileged: &privileged, - }, - Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), + Image: instance.Spec.ContainerImage, + SecurityContext: glance.APISecurityContext(userID, privileged), + Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), VolumeMounts: append(glance.GetVolumeMounts( instance.Spec.CustomServiceConfigSecrets, privileged, diff --git a/templates/glanceapi/config/glance-api-config.json b/templates/glanceapi/config/glance-api-config.json index 996d8b24..3c06b727 100644 --- a/templates/glanceapi/config/glance-api-config.json +++ b/templates/glanceapi/config/glance-api-config.json @@ -4,20 +4,20 @@ { "source": "/var/lib/config-data/default/00-config.conf", "dest": "/etc/glance/glance.conf.d/00-config.conf", - "owner": "glance", + "owner": "glance:glance", "perm": "0600" }, { "source": "/var/lib/config-data/default/02-config.conf", "dest": "/etc/glance/glance.conf.d/02-config.conf", - "owner": "glance", + "owner": "glance:glance", "perm": "0600", "optional": true }, { "source": "/var/lib/config-data/default/03-config.conf", "dest": "/etc/glance/glance.conf.d/03-config.conf", - "owner": "glance", + "owner": "glance:glance", "perm": "0640", "optional": true }, @@ -68,6 +68,16 @@ "path": "/var/log/glance", "owner": "glance:glance", "recurse": true + }, + { + "path": "/var/lib/glance", + "owner": "glance:glance", + "recurse": true + }, + { + "path": "/etc/glance/glance.conf.d", + "owner": "glance:glance", + "recurse": true } ] }