Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with runAsNonRoot #146

Closed
jclarksnps opened this issue Jun 12, 2019 · 8 comments
Closed

Issue with runAsNonRoot #146

jclarksnps opened this issue Jun 12, 2019 · 8 comments
Assignees
@endzyme
Labels
bug Something isn't working

Comments

@jclarksnps
Copy link

jclarksnps commented Jun 12, 2019
edited
Loading

Not entirely sure that your check for runAsNonRoot is working, or we mis-understand exactly what it's checking. We have a pod running which is set at the pod level as below, yet reactive is still saying it shouldn't run as root... which it isn't. Since the securityContext at the container level is only for overriding what is set at the pod level I hope that being set at the pod level is enough. Any ideas?

securityContext:
runAsNonRoot: true
runAsUser: 5000
@endzyme endzyme self-assigned this Jun 12, 2019
@endzyme
Copy link
Contributor

endzyme commented Jun 12, 2019
edited
Loading

Thanks @jclarksnps - after looking into this, it does look to be a bug. I have been able reproduce locally. I think the missing context here is that the securityContext is not set on the Container but it is set at the pod level. This is innate kube logic which is missing from polaris (since the validator is only checking the config at the container level, and not referencing anything at the pod level for this check). I can file this as a bug and we'll look at fixing this up in the validation logic. Thanks for the note!!

@endzyme endzyme added the bug Something isn't working label Jun 12, 2019
@jclarksnps
Copy link
Author

Thanks!

@endzyme
Copy link
Contributor

endzyme commented Jun 13, 2019

#149 Linking

endzyme pushed a commit that referenced this issue Jun 18, 2019
#146 Fixing Container Security Context Logic (#149)
4c7429e 
* Fixing Container Security Context Logic

Kubernetes rationalizes Container Security Context in conjunction with the
Pod Spec Security Context. In this scenario you can 'leave out' certain
security context settings and rely on the pod spec definition to still
set these settings for you. The RunAsNonRoot setting originally only checked
to see if the value was set at the container level, vs also checking if it
was enabled at the pod level.

I have attached the container's parent pod spec to the container validate
struct in case any other things like this arise in the future.

I have also refactored the logic for validating bool pointers, since these
can be tricky, if you want to avoid dereferences pointer issues.

Changes:
- Added parent pod spec of container to validate certain settings which affect container spec
- Refactored the logic statements for validating bool pointers (used helpers)
- Added tests for this pod.container.securityContext condition
@jclarksnps
Copy link
Author

Thanks for fixing this, any eta on a release?

@endzyme
Copy link
Contributor

endzyme commented Jun 20, 2019

Hi @jclarksnps - I'll get back to you shortly on the timing 😃 - Thanks again!

@endzyme
Copy link
Contributor

endzyme commented Jun 20, 2019

@jclarksnps - I am planning on cutting a release tomorrow if that works for you! :)

@jclarksnps
Copy link
Author

Thanks! Yep, we'll deploy and check it out.

@endzyme
Copy link
Contributor

endzyme commented Jun 21, 2019

https://github.com/reactiveops/polaris/releases/tag/0.2.1 -- all set

thanks for your patience!

@rbren rbren closed this as completed Jul 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@endzyme endzyme

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@endzyme @rbren @jclarksnps