Skip to content

Commit

Permalink
security: run as non-root user
Browse files Browse the repository at this point in the history 
Signed-off-by: zhangzujian <[email protected]>
  • Loading branch information
@zhangzujian
zhangzujian committed Jul 23, 2024
1 parent 9229c45 commit 2f1b1e9
Show file tree
Hide file tree
Showing 33 changed files with 525 additions and 202 deletions.
2 changes: 2 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
dist/images/test-server
dist/images/kube-ovn
dist/images/kube-ovn-cmd
dist/images/kube-ovn-daemon
dist/images/kube-ovn-pinger
dist/images/kube-ovn-webhook
dist/windows/kube-ovn.exe
dist/windows/kube-ovn-daemon.exe
Expand Down
6 changes: 5 additions & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,19 +101,23 @@ build-go:
go mod tidy
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build $(GO_BUILD_FLAGS) -o $(CURDIR)/dist/images/kube-ovn -v ./cmd/cni
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/images/kube-ovn-cmd -v ./cmd
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/images/kube-ovn-daemon -v ./cmd/daemon
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/images/kube-ovn-pinger -v ./cmd/pinger
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/images/kube-ovn-webhook -v ./cmd/webhook
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build $(GO_BUILD_FLAGS) -o $(CURDIR)/dist/images/test-server -v ./test/server

.PHONY: build-go-windows
build-go-windows:
go mod tidy
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build $(GO_BUILD_FLAGS) -o $(CURDIR)/dist/windows/kube-ovn.exe -v ./cmd/cni
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/windows/kube-ovn-daemon.exe -v ./cmd/windows/daemon
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/windows/kube-ovn-daemon.exe -v ./cmd/daemon

.PHONY: build-go-arm
build-go-arm:
CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build $(GO_BUILD_FLAGS) -o $(CURDIR)/dist/images/kube-ovn -v ./cmd/cni
CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/images/kube-ovn-cmd -v ./cmd
CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/images/kube-ovn-daemon -v ./cmd/daemon
CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/images/kube-ovn-pinger -v ./cmd/pinger
CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/images/kube-ovn-webhook -v ./cmd/webhook

.PHONY: build-kube-ovn
Expand Down
41 changes: 24 additions & 17 deletions charts/kube-ovn/templates/central-deploy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,36 @@ spec:
priorityClassName: system-cluster-critical
serviceAccountName: ovn-ovs
hostNetwork: true
initContainers:
- name: hostpath-init
image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- sh
- -c
- "chown -R nobody: /var/run/ovn /etc/ovn /var/log/ovn"
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
privileged: true
runAsUser: 0
volumeMounts:
- mountPath: /var/run/ovn
name: host-run-ovn
- mountPath: /etc/ovn
name: host-config-ovn
- mountPath: /var/log/ovn
name: host-log-ovn
containers:
- name: ovn-central
image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
command:
- /kube-ovn/start-db.sh
securityContext:
runAsUser: 0
runAsUser: 65534
privileged: false
capabilities:
add:
Expand Down Expand Up @@ -96,16 +118,10 @@ spec:
cpu: {{ index .Values "ovn-central" "limits" "cpu" }}
memory: {{ index .Values "ovn-central" "limits" "memory" }}
volumeMounts:
- mountPath: /var/run/openvswitch
name: host-run-ovs
- mountPath: /var/run/ovn
name: host-run-ovn
- mountPath: /etc/openvswitch
name: host-config-openvswitch
- mountPath: /etc/ovn
name: host-config-ovn
- mountPath: /var/log/openvswitch
name: host-log-ovs
- mountPath: /var/log/ovn
name: host-log-ovn
- mountPath: /etc/localtime
Expand Down Expand Up @@ -135,21 +151,12 @@ spec:
{{ index . 0 }}: "{{ if eq (len .) 2 }}{{ index . 1 }}{{ end }}"
{{- end }}
volumes:
- name: host-run-ovs
hostPath:
path: /run/openvswitch
- name: host-run-ovn
hostPath:
path: /run/ovn
- name: host-config-openvswitch
hostPath:
path: {{ .Values.OPENVSWITCH_DIR }}
- name: host-config-ovn
hostPath:
path: {{ .Values.OVN_DIR }}
- name: host-log-ovs
hostPath:
path: {{ .Values.log_conf.LOG_DIR }}/openvswitch
- name: host-log-ovn
hostPath:
path: {{ .Values.log_conf.LOG_DIR }}/ovn
Expand Down
20 changes: 19 additions & 1 deletion charts/kube-ovn/templates/controller-deploy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,24 @@ spec:
priorityClassName: system-cluster-critical
serviceAccountName: ovn
hostNetwork: true
initContainers:
- name: hostpath-init
image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- sh
- -c
- "chown -R nobody: /var/log/kube-ovn"
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
privileged: true
runAsUser: 0
volumeMounts:
- name: kube-ovn-log
mountPath: /var/log/kube-ovn
containers:
- name: kube-ovn-controller
image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
Expand Down Expand Up @@ -118,7 +136,7 @@ spec:
- --node-local-dns-ip={{- .Values.networking.NODE_LOCAL_DNS_IP }}
- --secure-serving={{- .Values.func.SECURE_SERVING }}
securityContext:
runAsUser: 0
runAsUser: 65534
privileged: false
capabilities:
add:
Expand Down
33 changes: 27 additions & 6 deletions charts/kube-ovn/templates/ic-controller-deploy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,28 @@ spec:
priorityClassName: system-cluster-critical
serviceAccountName: ovn
hostNetwork: true
initContainers:
- name: hostpath-init
image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- sh
- -c
- "chown -R nobody: /var/run/ovn /var/log/ovn /var/log/kube-ovn"
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
privileged: true
runAsUser: 0
volumeMounts:
- mountPath: /var/run/ovn
name: host-run-ovn
- mountPath: /var/log/ovn
name: host-log-ovn
- name: kube-ovn-log
mountPath: /var/log/kube-ovn
containers:
- name: ovn-ic-controller
image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
Expand All @@ -52,8 +74,12 @@ spec:
- --logtostderr=false
- --alsologtostderr=true
securityContext:
runAsUser: 65534
privileged: false
capabilities:
add: ["SYS_NICE"]
add:
- NET_BIND_SERVICE
- SYS_NICE
env:
- name: ENABLE_SSL
value: "{{ .Values.networking.ENABLE_SSL }}"
Expand All @@ -73,8 +99,6 @@ spec:
volumeMounts:
- mountPath: /var/run/ovn
name: host-run-ovn
- mountPath: /etc/ovn
name: host-config-ovn
- mountPath: /var/log/ovn
name: host-log-ovn
- mountPath: /etc/localtime
Expand All @@ -90,9 +114,6 @@ spec:
- name: host-run-ovn
hostPath:
path: /run/ovn
- name: host-config-ovn
hostPath:
path: /etc/origin/ovn
- name: host-log-ovn
hostPath:
path: /var/log/ovn
Expand Down
33 changes: 22 additions & 11 deletions charts/kube-ovn/templates/monitor-deploy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,24 @@ spec:
priorityClassName: system-cluster-critical
serviceAccountName: kube-ovn-app
hostNetwork: true
initContainers:
- name: hostpath-init
image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- sh
- -c
- "chown -R nobody: /var/log/kube-ovn"
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
privileged: true
runAsUser: 0
volumeMounts:
- name: kube-ovn-log
mountPath: /var/log/kube-ovn
containers:
- name: kube-ovn-monitor
image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
Expand All @@ -50,8 +68,11 @@ spec:
- --alsologtostderr=true
- --log_file_max_size=200
securityContext:
runAsUser: 0
runAsUser: 65534
privileged: false
capabilities:
add:
- NET_BIND_SERVICE
env:
- name: ENABLE_SSL
value: "{{ .Values.networking.ENABLE_SSL }}"
Expand Down Expand Up @@ -85,12 +106,8 @@ spec:
cpu: {{ index .Values "kube-ovn-monitor" "limits" "cpu" }}
memory: {{ index .Values "kube-ovn-monitor" "limits" "memory" }}
volumeMounts:
- mountPath: /var/run/openvswitch
name: host-run-ovs
- mountPath: /var/run/ovn
name: host-run-ovn
- mountPath: /etc/openvswitch
name: host-config-openvswitch
- mountPath: /etc/ovn
name: host-config-ovn
- mountPath: /var/log/ovn
Expand Down Expand Up @@ -125,15 +142,9 @@ spec:
{{ index . 0 }}: "{{ if eq (len .) 2 }}{{ index . 1 }}{{ end }}"
{{- end }}
volumes:
- name: host-run-ovs
hostPath:
path: /run/openvswitch
- name: host-run-ovn
hostPath:
path: /run/ovn
- name: host-config-openvswitch
hostPath:
path: {{ .Values.OPENVSWITCH_DIR }}
- name: host-config-ovn
hostPath:
path: {{ .Values.OVN_DIR }}
Expand Down
54 changes: 47 additions & 7 deletions charts/kube-ovn/templates/ovncni-ds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,16 +29,48 @@ spec:
hostNetwork: true
hostPID: true
initContainers:
- name: hostpath-init
image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- sh
- -xec
- |
chown -R nobody: /var/log/kube-ovn
chmod g+r /run/xtables.lock
iptables -V
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
privileged: true
runAsUser: 0
runAsGroup: 0
volumeMounts:
- name: usr-local-sbin
mountPath: /usr/local/sbin
- mountPath: /run/xtables.lock
name: xtables-lock
readOnly: false
- name: kube-ovn-log
mountPath: /var/log/kube-ovn
- name: install-cni
image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: ["/kube-ovn/install-cni.sh"]
command:
- /kube-ovn/install-cni.sh
- --cni-conf-dir={{ .Values.cni_conf.CNI_CONF_DIR }}
- --cni-conf-file={{ .Values.cni_conf.CNI_CONF_FILE }}
- --cni-conf-name={{- .Values.cni_conf.CNI_CONFIG_PRIORITY -}}-kube-ovn.conflist
securityContext:
runAsUser: 0
privileged: true
volumeMounts:
- mountPath: /opt/cni/bin
name: cni-bin
- mountPath: /etc/cni/net.d
name: cni-conf
{{- if .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }}
- mountPath: /usr/local/bin
name: local-bin
Expand Down Expand Up @@ -71,9 +103,6 @@ spec:
- --dpdk-tunnel-iface={{- .Values.networking.DPDK_TUNNEL_IFACE }}
- --network-type={{- .Values.networking.TUNNEL_TYPE }}
- --default-interface-name={{- .Values.networking.vlan.VLAN_INTERFACE_NAME }}
- --cni-conf-dir={{ .Values.cni_conf.CNI_CONF_DIR }}
- --cni-conf-file={{ .Values.cni_conf.CNI_CONF_FILE }}
- --cni-conf-name={{- .Values.cni_conf.CNI_CONFIG_PRIORITY -}}-kube-ovn.conflist
- --logtostderr=false
- --alsologtostderr=true
- --log_file=/var/log/kube-ovn/kube-ovn-cni.log
Expand All @@ -84,14 +113,16 @@ spec:
- --ovs-vsctl-concurrency={{ .Values.performance.OVS_VSCTL_CONCURRENCY }}
- --secure-serving={{- .Values.func.SECURE_SERVING }}
securityContext:
runAsUser: 0
runAsUser: 65534
runAsGroup: 0
privileged: false
capabilities:
add:
- NET_ADMIN
- NET_BIND_SERVICE
- NET_RAW
- SYS_ADMIN
- SYS_MODULE
env:
- name: ENABLE_SSL
value: "{{ .Values.networking.ENABLE_SSL }}"
Expand Down Expand Up @@ -120,16 +151,19 @@ spec:
- name: DBUS_SYSTEM_BUS_ADDRESS
value: "unix:path=/host/var/run/dbus/system_bus_socket"
volumeMounts:
- name: usr-local-sbin
mountPath: /usr/local/sbin
- name: host-modules
mountPath: /lib/modules
readOnly: true
- mountPath: /run/xtables.lock
name: xtables-lock
readOnly: false
- name: shared-dir
mountPath: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods
- mountPath: /etc/openvswitch
name: systemid
readOnly: true
- mountPath: /etc/cni/net.d
name: cni-conf
- mountPath: /run/openvswitch
name: host-run-ovs
mountPropagation: HostToContainer
Expand Down Expand Up @@ -175,9 +209,15 @@ spec:
nodeSelector:
kubernetes.io/os: "linux"
volumes:
- name: usr-local-sbin
emptyDir: {}
- name: host-modules
hostPath:
path: /lib/modules
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
- name: shared-dir
hostPath:
path: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods
Expand Down
Loading

0 comments on commit 2f1b1e9

Please sign in to comment.