From 18487a8b79431a2ed34fba50281e8329d61a6776 Mon Sep 17 00:00:00 2001 From: Joao Marcal Date: Thu, 2 Jun 2022 15:01:19 +0100 Subject: [PATCH] fix: set seccomp profiles and grant SAs necessary premissions to run When running in namespace with Pod Security Standard profile "restricted" we need to set RunAsNonRoot and SeccompProfile to all workloads running on that namespace. Futhermore on OpenShift to run with a SeccompProfile set we need to grant service accounts premisisons to use the SCC nonroot-v2 https://github.com/rhobs/observability-operator/issues/149 --- deploy/dependencies/kustomization.yaml | 21 +++++++++++++ .../observability-operator-cluster-role.yaml | 8 +++++ .../observability-operator-deployment.yaml | 5 +++ .../monitoring-stack/alertmanager.go | 31 +++++++++++++++++++ .../monitoring/monitoring-stack/components.go | 21 ++++++++++++- .../monitoring/monitoring-stack/controller.go | 3 ++ 6 files changed, 88 insertions(+), 1 deletion(-) diff --git a/deploy/dependencies/kustomization.yaml b/deploy/dependencies/kustomization.yaml index 1b9f710e..962596f8 100644 --- a/deploy/dependencies/kustomization.yaml +++ b/deploy/dependencies/kustomization.yaml @@ -40,6 +40,10 @@ patches: cpu: 5m memory: 150Mi terminationMessagePolicy: FallbackToLogsOnError + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - patch: |- - op: remove path: /spec/template/spec/nodeSelector @@ -48,3 +52,20 @@ patches: version: v1 kind: Deployment + - patch: |- + - op: add + path: /rules/- + value: + apiGroups: + - security.openshift.io + resourceNames: + - nonroot-v2 + resources: + - securitycontextconstraints + verbs: + - use + target: + group: rbac.authorization.k8s.io + version: v1 + kind: ClusterRole + name: prometheus-operator diff --git a/deploy/operator/observability-operator-cluster-role.yaml b/deploy/operator/observability-operator-cluster-role.yaml index 5bd79417..51442348 100644 --- a/deploy/operator/observability-operator-cluster-role.yaml +++ b/deploy/operator/observability-operator-cluster-role.yaml @@ -158,3 +158,11 @@ rules: - patch - update - watch +- apiGroups: + - security.openshift.io + resourceNames: + - nonroot-v2 + resources: + - securitycontextconstraints + verbs: + - use diff --git a/deploy/operator/observability-operator-deployment.yaml b/deploy/operator/observability-operator-deployment.yaml index 5e01d9ad..2c304183 100644 --- a/deploy/operator/observability-operator-deployment.yaml +++ b/deploy/operator/observability-operator-deployment.yaml @@ -22,6 +22,8 @@ spec: spec: securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - name: operator image: observability-operator:0.0.1 @@ -35,6 +37,9 @@ spec: fieldPath: metadata.namespace securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL resources: limits: cpu: 200m diff --git a/pkg/controllers/monitoring/monitoring-stack/alertmanager.go b/pkg/controllers/monitoring/monitoring-stack/alertmanager.go index 4a1ad4ec..345560f9 100644 --- a/pkg/controllers/monitoring/monitoring-stack/alertmanager.go +++ b/pkg/controllers/monitoring/monitoring-stack/alertmanager.go @@ -3,6 +3,8 @@ package monitoringstack import ( stack "github.com/rhobs/observability-operator/pkg/apis/monitoring/v1alpha1" policyv1 "k8s.io/api/policy/v1" + rbacv1 "k8s.io/api/rbac/v1" + "k8s.io/utils/pointer" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/intstr" @@ -65,6 +67,14 @@ func newAlertmanager( }, }, }, + SecurityContext: &corev1.PodSecurityContext{ + FSGroup: pointer.Int64(AlertmanagerUserFSGroupID), + RunAsNonRoot: pointer.Bool(true), + RunAsUser: pointer.Int64(AlertmanagerUserFSGroupID), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, } } @@ -119,3 +129,24 @@ func newAlertmanagerPDB(ms *stack.MonitoringStack, instanceSelectorKey string, i }, } } + +func newAlertManagerRole(ms *stack.MonitoringStack, rbacResourceName string, rbacVerbs []string) *rbacv1.Role { + return &rbacv1.Role{ + TypeMeta: metav1.TypeMeta{ + APIVersion: rbacv1.SchemeGroupVersion.String(), + Kind: "Role", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: rbacResourceName, + Namespace: ms.Namespace, + }, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{"security.openshift.io"}, + Resources: []string{"securitycontextconstraints"}, + ResourceNames: []string{"nonroot-v2"}, + Verbs: []string{"use"}, + }, + }, + } +} diff --git a/pkg/controllers/monitoring/monitoring-stack/components.go b/pkg/controllers/monitoring/monitoring-stack/components.go index edc41865..652b9f99 100644 --- a/pkg/controllers/monitoring/monitoring-stack/components.go +++ b/pkg/controllers/monitoring/monitoring-stack/components.go @@ -7,6 +7,7 @@ import ( stack "github.com/rhobs/observability-operator/pkg/apis/monitoring/v1alpha1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/pointer" monv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" policyv1 "k8s.io/api/policy/v1" @@ -20,6 +21,8 @@ import ( ) const AdditionalScrapeConfigsSelfScrapeKey = "self-scrape-config" +const PrometheusUserFSGroupID = 65534 +const AlertmanagerUserFSGroupID = 65535 type reconcileFunction func(ctx context.Context, c client.Client, scheme *runtime.Scheme) error @@ -49,6 +52,8 @@ func stackComponentReconcilers(ms *stack.MonitoringStack, instanceSelectorKey st defaultReconciler(newRoleBinding(ms, prometheusRBACResourceName), ms), defaultReconciler(newAdditionalScrapeConfigsSecret(ms, additionalScrapeConfigsSecretName), ms), defaultReconciler(newServiceAccount(alertmanagerRBACResourceName, ms.Namespace), ms), + defaultReconciler(newAlertManagerRole(ms, alertmanagerRBACResourceName, rbacVerbs), ms), + defaultReconciler(newRoleBinding(ms, alertmanagerRBACResourceName), ms), defaultReconciler(newAlertmanager(ms, alertmanagerRBACResourceName, instanceSelectorKey, instanceSelectorValue), ms), defaultReconciler(newAlertmanagerService(ms, instanceSelectorKey, instanceSelectorValue), ms), defaultReconciler(newAlertmanagerPDB(ms, instanceSelectorKey, instanceSelectorValue), ms), @@ -80,6 +85,12 @@ func newPrometheusRole(ms *stack.MonitoringStack, rbacResourceName string, rbacV Resources: []string{"ingresses"}, Verbs: rbacVerbs, }, + { + APIGroups: []string{"security.openshift.io"}, + Resources: []string{"securitycontextconstraints"}, + ResourceNames: []string{"nonroot-v2"}, + Verbs: []string{"use"}, + }, }, } } @@ -163,7 +174,15 @@ func newPrometheus( }, Key: AdditionalScrapeConfigsSelfScrapeKey, }, - Storage: storageForPVC(config.PersistentVolumeClaim), + Storage: storageForPVC(config.PersistentVolumeClaim), + SecurityContext: &corev1.PodSecurityContext{ + FSGroup: pointer.Int64(PrometheusUserFSGroupID), + RunAsNonRoot: pointer.Bool(true), + RunAsUser: pointer.Int64(PrometheusUserFSGroupID), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, RemoteWrite: config.RemoteWrite, ExternalLabels: config.ExternalLabels, }, diff --git a/pkg/controllers/monitoring/monitoring-stack/controller.go b/pkg/controllers/monitoring/monitoring-stack/controller.go index b5c20a17..ff9ea95d 100644 --- a/pkg/controllers/monitoring/monitoring-stack/controller.go +++ b/pkg/controllers/monitoring/monitoring-stack/controller.go @@ -70,6 +70,9 @@ type Options struct { //+kubebuilder:rbac:groups="",resources=pods;services;endpoints,verbs=get;list;watch //+kubebuilder:rbac:groups=extensions;networking.k8s.io,resources=ingresses,verbs=get;list;watch +// RBAC for delegating the use of SCC nonroot-v2 needed for OpenShift +//+kubebuilder:rbac:groups="security.openshift.io",resources=securitycontextconstraints,resourceNames=nonroot-v2,verbs=use + // RegisterWithManager registers the controller with Manager func RegisterWithManager(mgr ctrl.Manager, opts Options) error { split := strings.Split(opts.InstanceSelector, "=")