From 2d90e1eeb005c5178270c14745c214e271915a1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ram=C3=B3n=20Cahenzli?= Date: Thu, 7 Oct 2021 14:55:45 +0200 Subject: [PATCH 1/4] Add OpenShift-specific security settings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ramón Cahenzli --- component/main.jsonnet | 34 ++++++++++++++++++++++++++++++++++ tests/defaults.yml | 2 ++ 2 files changed, 36 insertions(+) diff --git a/component/main.jsonnet b/component/main.jsonnet index 8fa8f76..02afc64 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -3,6 +3,38 @@ local kap = import 'lib/kapitan.libjsonnet'; local kube = import 'lib/kube.libjsonnet'; local inv = kap.inventory(); local params = inv.parameters.maxscale; +local isOnOpenshift = std.startsWith(inv.parameters.facts.distribution, 'openshift'); + +local serviceaccount = kube.ServiceAccount('maxscale-anyuid') { + metadata+: { + namespace: params.namespace, + }, +}; + +local role = kube.Role('maxscale-anyuid') { + metadata+: { + namespace: params.namespace, + }, + + rules: [ { + verbs: [ 'use' ], + apiGroups: [ 'security.openshift.io' ], + resources: [ 'securitycontextconstraints' ], + resourceNames: [ 'anyuid' ], + } ], +}; + +local rolebinding = kube.RoleBinding('maxscale-anyuid') { + metadata+: { + namespace: params.namespace, + }, + roleRef+: { + apiGroup: 'rbac.authorization.k8s.io', + kind: 'Role', + name: 'maxscale-anyuid', + }, + subjects_: [ serviceaccount ], +}; local namespace = kube.Namespace(params.namespace) { metadata+: { @@ -53,6 +85,7 @@ local deployment = kube.Deployment('maxscale') { spec+: { template+: { spec+: { + [if isOnOpenshift then 'serviceAccountName']: 'maxscale-anyuid', containers_+: { maxscale: kube.Container('maxscale') { image: params.images.maxscale.image + ':' + params.images.maxscale.tag @@ -162,5 +195,6 @@ local configfile = kube.ConfigMap('maxscale-config') { { '00_namespace': namespace, + [if isOnOpenshift then '01_openshift_security']: [ role, serviceaccount, rolebinding ], '10_maxscale': [ secret, deployment, service_masteronly, service_rwsplit, configfile ], } diff --git a/tests/defaults.yml b/tests/defaults.yml index 9f5735c..e3f744d 100644 --- a/tests/defaults.yml +++ b/tests/defaults.yml @@ -4,6 +4,8 @@ --- parameters: _instance: maxscale + facts: + distribution: openshift4 maxscale: namespace: maxscale-test master_only_listen_address: 127.0.0.1 From 1d0ce53ca6ada891d7365b17fdc371497607af6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ram=C3=B3n=20Cahenzli?= Date: Mon, 11 Oct 2021 18:39:05 +0200 Subject: [PATCH 2/4] Overriding entrypoint and setting nonroot SCC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ramón Cahenzli --- component/main.jsonnet | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/component/main.jsonnet b/component/main.jsonnet index 02afc64..795d862 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -5,13 +5,22 @@ local inv = kap.inventory(); local params = inv.parameters.maxscale; local isOnOpenshift = std.startsWith(inv.parameters.facts.distribution, 'openshift'); -local serviceaccount = kube.ServiceAccount('maxscale-anyuid') { +local namespace = kube.Namespace(params.namespace) { + metadata+: { + labels+: { + SYNMonitoring: 'main', + }, + }, +}; + + +local serviceaccount = kube.ServiceAccount('maxscale-uid') { metadata+: { namespace: params.namespace, }, }; -local role = kube.Role('maxscale-anyuid') { +local role = kube.Role('maxscale-uid') { metadata+: { namespace: params.namespace, }, @@ -20,29 +29,22 @@ local role = kube.Role('maxscale-anyuid') { verbs: [ 'use' ], apiGroups: [ 'security.openshift.io' ], resources: [ 'securitycontextconstraints' ], - resourceNames: [ 'anyuid' ], + resourceNames: [ 'nonroot' ], } ], }; -local rolebinding = kube.RoleBinding('maxscale-anyuid') { +local rolebinding = kube.RoleBinding('maxscale-uid') { metadata+: { namespace: params.namespace, }, roleRef+: { apiGroup: 'rbac.authorization.k8s.io', kind: 'Role', - name: 'maxscale-anyuid', + name: 'maxscale-uid', }, subjects_: [ serviceaccount ], }; -local namespace = kube.Namespace(params.namespace) { - metadata+: { - labels+: { - SYNMonitoring: 'main', - }, - }, -}; local secret = kube.Secret('maxscale') { metadata+: { @@ -85,11 +87,13 @@ local deployment = kube.Deployment('maxscale') { spec+: { template+: { spec+: { - [if isOnOpenshift then 'serviceAccountName']: 'maxscale-anyuid', + [if isOnOpenshift then 'serviceAccountName']: 'maxscale-uid', containers_+: { maxscale: kube.Container('maxscale') { - image: params.images.maxscale.image + ':' + params.images.maxscale.tag - , + image: params.images.maxscale.image + ':' + params.images.maxscale.tag, + [if isOnOpenshift then 'command']: [ '/usr/bin/maxscale' ], + [if isOnOpenshift then 'args']: [ '-d', '-U', 'maxscale', '-l', 'stdout' ], + [if isOnOpenshift then 'securityContext']: { runAsUser: 998 }, env_+: std.prune(com.proxyVars { MASTER_ONLY_LISTEN_ADDRESS: params.master_only_listen_address, READ_WRITE_LISTEN_ADDRESS: params.read_write_listen_address, From 4bce7b8092796828cc85c5193ab75b631435199e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ram=C3=B3n=20Cahenzli?= Date: Mon, 11 Oct 2021 18:51:55 +0200 Subject: [PATCH 3/4] Use UID matching 2.5.15 image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ramón Cahenzli --- component/main.jsonnet | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/component/main.jsonnet b/component/main.jsonnet index 795d862..6b355dd 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -93,7 +93,7 @@ local deployment = kube.Deployment('maxscale') { image: params.images.maxscale.image + ':' + params.images.maxscale.tag, [if isOnOpenshift then 'command']: [ '/usr/bin/maxscale' ], [if isOnOpenshift then 'args']: [ '-d', '-U', 'maxscale', '-l', 'stdout' ], - [if isOnOpenshift then 'securityContext']: { runAsUser: 998 }, + [if isOnOpenshift then 'securityContext']: { runAsUser: 997 }, env_+: std.prune(com.proxyVars { MASTER_ONLY_LISTEN_ADDRESS: params.master_only_listen_address, READ_WRITE_LISTEN_ADDRESS: params.read_write_listen_address, From 0c5806e56b274ee2eecc75d18b9649224301a044 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ram=C3=B3n=20Cahenzli?= Date: Wed, 13 Oct 2021 15:27:01 +0200 Subject: [PATCH 4/4] Use nonroot MaxScale image from APPUiO --- class/defaults.yml | 4 ++-- component/main.jsonnet | 39 --------------------------------------- 2 files changed, 2 insertions(+), 41 deletions(-) diff --git a/class/defaults.yml b/class/defaults.yml index 94e5eeb..7866d59 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -26,5 +26,5 @@ parameters: memory: 512Mi images: maxscale: - image: docker.io/mariadb/maxscale - tag: 2.5.15 + image: gchr.io/appuio/maxscale-docker + tag: 6.1.3 diff --git a/component/main.jsonnet b/component/main.jsonnet index 6b355dd..2fa1fee 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -3,7 +3,6 @@ local kap = import 'lib/kapitan.libjsonnet'; local kube = import 'lib/kube.libjsonnet'; local inv = kap.inventory(); local params = inv.parameters.maxscale; -local isOnOpenshift = std.startsWith(inv.parameters.facts.distribution, 'openshift'); local namespace = kube.Namespace(params.namespace) { metadata+: { @@ -13,39 +12,6 @@ local namespace = kube.Namespace(params.namespace) { }, }; - -local serviceaccount = kube.ServiceAccount('maxscale-uid') { - metadata+: { - namespace: params.namespace, - }, -}; - -local role = kube.Role('maxscale-uid') { - metadata+: { - namespace: params.namespace, - }, - - rules: [ { - verbs: [ 'use' ], - apiGroups: [ 'security.openshift.io' ], - resources: [ 'securitycontextconstraints' ], - resourceNames: [ 'nonroot' ], - } ], -}; - -local rolebinding = kube.RoleBinding('maxscale-uid') { - metadata+: { - namespace: params.namespace, - }, - roleRef+: { - apiGroup: 'rbac.authorization.k8s.io', - kind: 'Role', - name: 'maxscale-uid', - }, - subjects_: [ serviceaccount ], -}; - - local secret = kube.Secret('maxscale') { metadata+: { namespace: params.namespace, @@ -87,13 +53,9 @@ local deployment = kube.Deployment('maxscale') { spec+: { template+: { spec+: { - [if isOnOpenshift then 'serviceAccountName']: 'maxscale-uid', containers_+: { maxscale: kube.Container('maxscale') { image: params.images.maxscale.image + ':' + params.images.maxscale.tag, - [if isOnOpenshift then 'command']: [ '/usr/bin/maxscale' ], - [if isOnOpenshift then 'args']: [ '-d', '-U', 'maxscale', '-l', 'stdout' ], - [if isOnOpenshift then 'securityContext']: { runAsUser: 997 }, env_+: std.prune(com.proxyVars { MASTER_ONLY_LISTEN_ADDRESS: params.master_only_listen_address, READ_WRITE_LISTEN_ADDRESS: params.read_write_listen_address, @@ -199,6 +161,5 @@ local configfile = kube.ConfigMap('maxscale-config') { { '00_namespace': namespace, - [if isOnOpenshift then '01_openshift_security']: [ role, serviceaccount, rolebinding ], '10_maxscale': [ secret, deployment, service_masteronly, service_rwsplit, configfile ], }