moco icon indicating copy to clipboard operation
moco copied to clipboard

Published 20 hours ago verified publisher icon cybozu-go

BackupPolicy should provide a way to use fsGroup securityContext

Open NaPs opened this issue 2 years ago • 8 comments

When using BackupPolicy with ephemeral volumes, backups can fail with a permission denied error trying to write dump to the volume. This is because moco-backup run as uid 10000 and persistent volume is created with a root folder owned by root.

BackupPolicy CR should provide a way to set an fsGroup or an fsGroup should be hardcoded in Cronjob definition to prevent this problem.

NaPs avatar Aug 04 '22 12:08 NaPs

For those who are looking for a way to workaround this problem, here is our solution using a Kyverno policy to mutate CronJob's Pods on the fly:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: mutate-add-fsgroup-moco-backup-jobs
spec:
  rules:
  - name: add-fsgroup-moco-backup-jobs
    match:
      resources:
        kinds:
        - Pod
        selector:
          matchLabels:
            app.kubernetes.io/created-by: moco
            app.kubernetes.io/name: mysql-backup
    mutate:
      patchStrategicMerge:
        spec:
          securityContext:
            +(fsGroup): 10000

NaPs avatar Aug 04 '22 12:08 NaPs

Thank you for the issue! As you suggested, we need fsGroup for Backup CronJob and also Resotre Job.

We will add the securityContext field to the JobConfig. https://github.com/cybozu-go/moco/blob/v0.12.1/api/v1beta2/job_types.go#L10

masa213f avatar Aug 05 '22 03:08 masa213f

Alternatively, it might be better to add securityContext.fsGroup automatically. Since the GID 10,000 is a kind of internal value.

Doing so would also reduce the troubles of moco users.

ymmt2005 avatar Aug 05 '22 05:08 ymmt2005

Thank you both for your answer! :-)

I agree with @ymmt2005, and I don't seen any drawback to set an fsGroup even if permissions are already properly set.

NaPs avatar Aug 05 '22 09:08 NaPs

@ymmt2005 Thank you. I understood.

runAsGroup: 10000 is automattically set for each containers so that looks better to set fsGroup too. https://github.com/cybozu-go/moco/blob/808863e82358b581d39c28d9c6d761875fe4d8bd/controllers/mysql_container.go#L342-L344

My understanding is that fsGrpuo: 10000 will be set to all containers like runAsGroup. So the following document will no longer be necessary, isn't it?

https://github.com/cybozu-go/moco/blob/v0.12.1/docs/troubles.md

masa213f avatar Aug 08 '22 01:08 masa213f

@masa213f Not exactly. fsGroup is a Pod-level security policy, so we don't need to add them to each container.

ymmt2005 avatar Aug 08 '22 01:08 ymmt2005

Also, I'd like to include fsGroupChangePolicy: "OnRootMismatch" as it is available on all supported k8s versions.

ymmt2005 avatar Aug 08 '22 01:08 ymmt2005

@ymmt2005 Thanks! Certainly, fsGroup is only exists in PodSecurityContext...

Should I set the fsGroup (and fsGroupChangePolicy) to the mysql pod too? If I don't need, I just set the fsGroup to the restore and backup jobs.

masa213f avatar Aug 08 '22 02:08 masa213f

@masa213f Cc: @d-kuro

Should I set the fsGroup (and fsGroupChangePolicy) to the mysql pod too?

We should.

ymmt2005 avatar Aug 24 '22 01:08 ymmt2005

Released. https://github.com/cybozu-go/moco/releases/tag/v0.13.0

masa213f avatar Sep 13 '22 03:09 masa213f