Merge pull request #397 from gthiemonge/fix_min_priv

Run Octavia pod components at minimum privilege escalation level
openstack-k8s-operators · Oct 30, 2024 · 527def8 · 527def8
2 parents 6e13837 + e05e570
commit 527def8
Show file tree

Hide file tree

Showing 19 changed files with 274 additions and 228 deletions.
diff --git a/config/samples/network-attachment-definition/kustomization.yaml b/config/samples/network-attachment-definition/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+- octavia-nad.yaml
diff --git a/config/samples/network-attachment-definition/octavia-nad.yaml b/config/samples/network-attachment-definition/octavia-nad.yaml
@@ -0,0 +1,24 @@
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  name: octavia
+spec:
+  config: |
+    {
+      "cniVersion": "0.3.1",
+      "name": "octavia",
+      "type": "bridge",
+      "bridge": "octbr",
+      "ipam": {
+        "type": "whereabouts",
+        "range": "172.23.0.0/24",
+        "range_start": "172.23.0.30",
+        "range_end": "172.23.0.70",
+        "routes": [
+          {
+            "dst": "172.24.0.0/16",
+            "gw" : "172.23.0.150"
+          }
+        ]
+      }
+    }
diff --git a/pkg/amphoracontrollers/daemonset.go b/pkg/amphoracontrollers/daemonset.go
@@ -27,6 +27,12 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
+)
+
+const (
+	// InitContainerCommand -
+	InitContainerCommand = "/usr/local/bin/container-scripts/init.sh %s"
 )
 
 // DaemonSet func
@@ -36,8 +42,6 @@ func DaemonSet(
 	labels map[string]string,
 	annotations map[string]string,
 ) *appsv1.DaemonSet {
-	runAsUser := int64(0)
-	privileged := true
 	serviceName := fmt.Sprintf("octavia-%s", instance.Spec.Role)
 
 	// The API pod has an extra volume so the API and the provider agent can
@@ -47,7 +51,7 @@ func DaemonSet(
 	certsSecretName := fmt.Sprintf("%s-certs-secret", parentOctaviaName)
 	volumes = append(volumes, GetCertVolume(certsSecretName)...)
 
-	volumeMounts := GetVolumeMounts(serviceName)
+	volumeMounts := octavia.GetVolumeMounts(serviceName)
 	volumeMounts = append(volumeMounts, GetCertVolumeMount()...)
 
 	livenessProbe := &corev1.Probe{
@@ -100,6 +104,11 @@ func DaemonSet(
 		volumeMounts = append(volumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
 	}
 
+	args := []string{
+		"-c",
+		fmt.Sprintf(InitContainerCommand, instance.Name),
+	}
+
 	// Because we don't use jobboard, we need to ensure that the octavia
 	// controllers are gracefully shutdown, so after they receive the signal,
 	// they need to complete the jobs that are being executed (creating a LB,
@@ -112,6 +121,12 @@ func DaemonSet(
 	// re-enabled
 	terminationGracePeriodSeconds := int64(600)
 
+	capabilities := []corev1.Capability{"NET_ADMIN", "SYS_ADMIN", "SYS_NICE"}
+	if instance.Spec.Role == octaviav1.HealthManager {
+		// NET_RAW is required for IP advertisements
+		capabilities = append(capabilities, corev1.Capability("NET_RAW"))
+	}
+
 	daemonset := &appsv1.DaemonSet{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      serviceName,
@@ -127,25 +142,40 @@ func DaemonSet(
 					Labels:      labels,
 				},
 				Spec: corev1.PodSpec{
+					SecurityContext: &corev1.PodSecurityContext{
+						FSGroup: ptr.To(octavia.OctaviaUID),
+					},
 					TerminationGracePeriodSeconds: &terminationGracePeriodSeconds,
 					ServiceAccountName:            instance.Spec.ServiceAccount,
 					Containers: []corev1.Container{
 						{
-							Name:           serviceName,
-							Image:          instance.Spec.ContainerImage,
-							Env:            env.MergeEnvs([]corev1.EnvVar{}, envVars),
-							VolumeMounts:   volumeMounts,
-							Resources:      instance.Spec.Resources,
-							ReadinessProbe: readinessProbe,
-							LivenessProbe:  livenessProbe,
+							Name:            serviceName,
+							Image:           instance.Spec.ContainerImage,
+							SecurityContext: octavia.GetOctaviaSecurityContext(),
+							Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
+							VolumeMounts:    volumeMounts,
+							Resources:       instance.Spec.Resources,
+							ReadinessProbe:  readinessProbe,
+							LivenessProbe:   livenessProbe,
+						},
+					},
+					InitContainers: []corev1.Container{
+						{
+							Name:  "init",
+							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
 								Capabilities: &corev1.Capabilities{
-									Add:  []corev1.Capability{"NET_ADMIN", "SYS_ADMIN", "SYS_NICE"},
+									Add:  capabilities,
 									Drop: []corev1.Capability{},
 								},
-								RunAsUser:  &runAsUser,
-								Privileged: &privileged,
+								RunAsUser: ptr.To(int64(0)),
 							},
+							Command: []string{
+								"/bin/bash",
+							},
+							Env:          env.MergeEnvs([]corev1.EnvVar{}, envVars),
+							Args:         args,
+							VolumeMounts: GetInitVolumeMounts(),
 						},
 					},
 					Volumes: volumes,
@@ -163,15 +193,9 @@ func DaemonSet(
 		},
 		corev1.LabelHostname,
 	)
-	if instance.Spec.NodeSelector != nil && len(instance.Spec.NodeSelector) > 0 {
+	if len(instance.Spec.NodeSelector) > 0 {
 		daemonset.Spec.Template.Spec.NodeSelector = instance.Spec.NodeSelector
 	}
 
-	initContainerDetails := octavia.APIDetails{
-		ContainerImage: instance.Spec.ContainerImage,
-		VolumeMounts:   octavia.GetInitVolumeMounts(),
-	}
-	daemonset.Spec.Template.Spec.InitContainers = octavia.InitContainer(initContainerDetails)
-
 	return daemonset
 }
diff --git a/pkg/amphoracontrollers/volumes.go b/pkg/amphoracontrollers/volumes.go
@@ -48,9 +48,9 @@ func GetVolumes(name string) []corev1.Volume {
 	)
 }
 
-func GetVolumeMounts(serviceName string) []corev1.VolumeMount {
+func GetInitVolumeMounts() []corev1.VolumeMount {
 	return append(
-		octavia.GetVolumeMounts(serviceName),
+		octavia.GetInitVolumeMounts(),
 		corev1.VolumeMount{
 			Name:      "hm-ports",
 			MountPath: "/var/lib/hmports",

diff --git a/pkg/octavia/dbsync.go b/pkg/octavia/dbsync.go
@@ -22,11 +22,12 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 const (
-	// DBSyncCommand -
-	DBSyncCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	// InitContainerCommand -
+	InitContainerCommand = "/usr/local/bin/container-scripts/init.sh"
 )
 
 // DbSyncJob func
@@ -35,13 +36,9 @@ func DbSyncJob(
 	labels map[string]string,
 	annotations map[string]string,
 ) *batchv1.Job {
-	runAsUser := int64(0)
-	initVolumeMounts := GetInitVolumeMounts()
 	volumeMounts := GetVolumeMounts("db-sync")
 	volumes := GetVolumes(instance.Name)
 
-	args := []string{"-c", DBSyncCommand}
-
 	envVars := map[string]env.Setter{}
 	envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS")
 
@@ -51,6 +48,11 @@ func DbSyncJob(
 		volumeMounts = append(volumeMounts, instance.Spec.OctaviaAPI.TLS.CreateVolumeMounts(nil)...)
 	}
 
+	args := []string{
+		"-c",
+		InitContainerCommand,
+	}
+
 	job := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      instance.Name + "-db-sync",
@@ -63,21 +65,30 @@ func DbSyncJob(
 					Annotations: annotations,
 				},
 				Spec: corev1.PodSpec{
+					SecurityContext: &corev1.PodSecurityContext{
+						FSGroup: ptr.To(OctaviaUID),
+					},
 					RestartPolicy:      corev1.RestartPolicyOnFailure,
 					ServiceAccountName: instance.RbacResourceName(),
 					Containers: []corev1.Container{
 						{
-							Name: ServiceName + "-db-sync",
+							Name:            ServiceName + "-db-sync",
+							Image:           instance.Spec.OctaviaAPI.ContainerImage,
+							SecurityContext: GetOctaviaSecurityContext(),
+							Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
+							VolumeMounts:    volumeMounts,
+						},
+					},
+					InitContainers: []corev1.Container{
+						{
+							Name:            "init",
+							Image:           instance.Spec.OctaviaAPI.ContainerImage,
+							SecurityContext: GetOctaviaSecurityContext(),
 							Command: []string{
 								"/bin/bash",
 							},
-							Args:  args,
-							Image: instance.Spec.OctaviaAPI.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
-							},
-							Env:          env.MergeEnvs([]corev1.EnvVar{}, envVars),
-							VolumeMounts: volumeMounts,
+							Args:         args,
+							VolumeMounts: GetInitVolumeMounts(),
 						},
 					},
 					Volumes: volumes,
@@ -86,11 +97,5 @@ func DbSyncJob(
 		},
 	}
 
-	initContainerDetails := APIDetails{
-		ContainerImage: instance.Spec.OctaviaAPI.ContainerImage,
-		VolumeMounts:   initVolumeMounts,
-	}
-	job.Spec.Template.Spec.InitContainers = InitContainer(initContainerDetails)
-
 	return job
 }
diff --git a/pkg/octavia/initcontainer.go b/pkg/octavia/initcontainer.go
diff --git a/pkg/octavia/securitycontext.go b/pkg/octavia/securitycontext.go
@@ -0,0 +1,34 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package octavia
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/ptr"
+)
+
+const (
+	OctaviaUID int64 = 42437
+	OctaviaGID int64 = 42437
+)
+
+func GetOctaviaSecurityContext() *corev1.SecurityContext {
+	return &corev1.SecurityContext{
+		RunAsUser:    ptr.To(OctaviaUID),
+		RunAsGroup:   ptr.To(OctaviaGID),
+		RunAsNonRoot: ptr.To(true),
+	}
+}