mysql-operator
mysql-operator copied to clipboard
bitpoke
Add support for PodSecurityPolicy
Add support of Pod Security Policy in the operator. Right now it is not possible to deploy the operator that has PSP enabled in it.
I have restricted PSP on my cluster and then orchestrator fails for me:
$ kubectl logs mysql-operator-orchestrator-0
2019/03/18 05:44:25 unable to create open /etc/orchestrator/orchestrator.conf.json: permission denied
2019/03/18 05:44:25 unable to create open /etc/orchestrator/orc-topology.cnf: permission denied
2019-03-18 05:44:25 FATAL Cannot read config file: /etc/orchestrator/orchestrator.conf.json open /etc/orchestrator/orchestrator.conf.json: no such file or directory
The PSP this pod picked up was:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAs'
ranges:
- min: 1
max: 99999
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
Hi @surajssd, thank you for opening this issue!
The problem is with the docker images that run the processes as root. There are few places where it needs to tweak the Dockerfiles and maybe helm charts. One of them is orchestrator chart and in the sidecar Dockerfile.
I scheduled it for the next major release 0.3.0, but I'd be happy to review and merge a PR that fixes it sooner. :smile:
@AMecea added a PSP config setup in https://github.com/presslabs/docker-orchestrator/pull/5 now will add the configs for mysql-operator.
Add PSP configs for this chart https://github.com/presslabs/mysql-operator/pull/273
The mysql pods that are started by the pod also need root in them to run, I had to give following PSP to the cluster pods
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: mysql-cluster
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
requiredDropCapabilities:
- KILL
- MKNOD
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
- 'hostPath'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
