Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Allow running as non-root to improve out-of-the-box experience for openshift users #300

Open
gberche-orange opened this issue Dec 22, 2022 · 0 comments
Open

Allow running as non-root to improve out-of-the-box experience for openshift users #300

gberche-orange opened this issue Dec 22, 2022 · 0 comments

Comments

@gberche-orange
Copy link

gberche-orange commented Dec 22, 2022
edited
Loading

By default K8S openshift restricts containers to run with userids below 1000, see

https://docs.openshift.com/container-platform/4.10/cicd/pipelines/using-pods-in-a-privileged-security-context.html

The default configuration of OpenShift [Pipelines 1.3.x and later versions] does not allow you to run pods with privileged security context
https://docs.openshift.com/container-platform/4.10/operators/operator_sdk/helm/osdk-helm-tutorial.html
The Nginx service account requires privileged access to run in OpenShift Container Platform. Add the following security context constraint (SCC)
oc adm policy add-scc-to-user anyuid system:serviceaccount:nginx-operator-system:nginx-sample

Without this additional permissions, the cloudsql image (such as image: gcr.io/google.com/cloudsdktool/google-cloud-cli:412.0.0) would fail with the following trace

$ gcloud auth activate-service-account --key-file=/secret/key.json

WARNING: Could not setup log file in /.config/gcloud/logs, (Error: Could not create directory [/.config/gcloud/logs/2022.12.22]: Permission denied.

Please verify that you have permissions to write to the parent directory..
The configuration directory may not be writable. To learn more, see https://cloud.google.com/sdk/docs/configurations#creating_a_configuration
ERROR: (gcloud.auth.activate-service-account) Could not create directory [/.config/gcloud]: Permission denied.

Please verify that you have permissions to write to the parent directory.
Stream closed EOF for 70-crossplane/gcp-gcloud-8bcc8d579-vtrh5 (gcp-gcloud)

the filesystem is also missing permissions to run without being root(0) within the container

1001020000@gcp-gcloud-86d49686bb-h72pr:/$ ls -al /
total 4
dr-xr-xr-x.   1 root root         54 Dec 22 15:34 .
dr-xr-xr-x.   1 root root         54 Dec 22 15:34 ..
drwxr-xr-x.   1 root root        179 Dec 13 18:41 bin
drwxr-xr-x.   2 root root          6 Sep  3 12:10 boot
drwxr-xr-x.   5 root root        360 Dec 22 15:34 dev
drwxr-xr-x.   1 root root         31 Dec 22 15:34 etc
drwxr-xr-x.   1 root root         22 Dec 13 18:41 home
drwxr-xr-x.   1 root root         17 Dec 13 18:46 lib
drwxr-xr-x.   2 root root         34 Dec  5 00:00 lib64
drwxr-xr-x.   2 root root          6 Dec  5 00:00 media
drwxr-xr-x.   2 root root          6 Dec  5 00:00 mnt
drwxr-xr-x.   2 root root          6 Dec  5 00:00 opt
dr-xr-xr-x. 343 root root          0 Dec 22 15:34 proc
drwx------.   1 root root         19 Dec 22 15:34 root
drwxr-xr-x.   1 root root         42 Dec 22 15:34 run
drwxr-xr-x.   2 root root       4096 Dec  5 00:00 sbin
drwxrwsrwt.   3 root 1001020000  100 Dec 22 15:34 secret
drwxr-xr-x.   2 root root          6 Dec  5 00:00 srv
dr-xr-xr-x.  13 root root          0 Oct 24 13:01 sys
drwxrwxrwt.   1 root root          6 Dec 13 18:47 tmp
drwxr-xr-x.   1 root root         19 Dec  5 00:00 usr
drwxr-xr-x.   1 root root         41 Dec  5 00:00 var
1001020000@gcp-gcloud-86d49686bb-h72pr:/$ sudo -i 
bash: sudo: command not found
1001020000@gcp-gcloud-86d49686bb-h72pr:/$ mkdir /.config
mkdir: cannot create directory '/.config': Permission denied

1001020000@gcp-gcloud-86d49686bb-h72pr:/$ id
uid=1001020000(1001020000) gid=0(root) groups=0(root),1001020000

Same when trying to run as cloudsdk:cloudsdk

      securityContext:
        runAsUser: 1000
        runAsGroup: 1000

cloud-sdk-docker/debian_component_based/Dockerfile

Lines 8 to 9 in ad79554

RUN groupadd -r -g 1000 cloudsdk && \
useradd -r -u 1000 -m -s /bin/bash -g cloudsdk cloudsdk 

 - lastTransitionTime: "2022-12-22T15:54:32Z"
    lastUpdateTime: "2022-12-22T15:54:32Z"
    message: 'pods "gcp-gcloud-cli-55cf44859-" is forbidden: unable to validate against
      any security context constraint: [provider "anyuid": Forbidden: not usable by
      user or serviceaccount, spec.containers[0[].securityContext.runAsUser: Invalid
      value: 1000: must be in the ranges: [1001020000, 1001029999[], provider "nonroot":
      Forbidden: not usable by user or serviceaccount,

Related issues:

Workaround on openshift:

in openshift cli mode: oc adm policy add-scc-to-user anyuid -z default

in plain KRM

# Grant crossplane user permission to run gcloud container as root
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:openshift:scc:anyuid
subjects:
  - kind: ServiceAccount
    name: default
    namespace: my-namespace

and run pods as cloudsdk:cloudsdk

      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gberche-orange