Merge pull request #610 from fmount/sec_context

Run GlanceAPI with GlanceUID user
openstack-k8s-operators · Sep 27, 2024 · 94bf45f · 94bf45f
2 parents b19cd99 + a5ab01f
commit 94bf45f
Show file tree

Hide file tree

Showing 9 changed files with 78 additions and 43 deletions.
diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go
@@ -108,6 +108,7 @@ type GlanceAPITemplate struct {
 	APITimeout int `json:"apiTimeout,omitempty"`
 }
 
+// Storage -
 type Storage struct {
 	// +kubebuilder:validation:Optional
 	// StorageClass -

diff --git a/api/v1beta1/glance_types.go b/api/v1beta1/glance_types.go
@@ -35,7 +35,7 @@ const (
 	APIEdge = "edge"
 )
 
-// GlanceSpec defines the desired state of Glance
+// GlanceSpecCore defines the desired state of Glance
 type GlanceSpecCore struct {
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default=glance

diff --git a/api/v1beta1/glance_webhook.go b/api/v1beta1/glance_webhook.go
@@ -346,6 +346,7 @@ func (r *GlanceSpec) ValidateUpdate(old GlanceSpec, basePath *field.Path) field.
 	return r.GlanceSpecCore.ValidateUpdate(old.GlanceSpecCore, basePath)
 }
 
+// ValidateUpdate -
 func (r *GlanceSpecCore) ValidateUpdate(old GlanceSpecCore, basePath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
 

diff --git a/controllers/glanceapi_controller.go b/controllers/glanceapi_controller.go
@@ -800,6 +800,14 @@ func (r *GlanceAPIReconciler) reconcileNormal(
 	// we can mark the ServiceConfigReady as True and rollout the new pods
 	instance.Status.Conditions.MarkTrue(condition.ServiceConfigReadyCondition, condition.ServiceConfigReadyMessage)
 
+	// This is currently required because cleaner and pruner cronJobs
+	// mount the same pvc to clean data present in /var/lib/glance/image-cache
+	// TODO (fpantano) reference a Glance spec/proposal to move to a different
+	// approach
+	if len(instance.Spec.ImageCache.Size) > 0 {
+		privileged = true
+	}
+
 	// Define a new StatefuleSet object
 	deplDef, err := glanceapi.StatefulSet(instance,
 		inputHash,

diff --git a/pkg/glance/const.go b/pkg/glance/const.go
@@ -54,7 +54,7 @@ const (
 	GlanceInternalPort int32 = 9292
 	// GlanceUID - https://github.com/openstack/kolla/blob/master/kolla/common/users.py
 	GlanceUID int64 = 42415
-	// GlanceGid - https://github.com/openstack/kolla/blob/master/kolla/common/users.py
+	// GlanceGID - https://github.com/openstack/kolla/blob/master/kolla/common/users.py
 	GlanceGID int64 = 42415
 	// DefaultsConfigFileName -
 	DefaultsConfigFileName = "00-config.conf"

diff --git a/pkg/glance/funcs.go b/pkg/glance/funcs.go
@@ -2,6 +2,7 @@ package glance
 
 import (
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -13,19 +14,16 @@ func GetOwningGlanceName(instance client.Object) string {
 			return ownerRef.Name
 		}
 	}
-
 	return ""
 }
 
 // dbSyncSecurityContext - currently used to make sure we don't run db-sync as
 // root user
 func dbSyncSecurityContext() *corev1.SecurityContext {
-	runAsUser := int64(GlanceUID)
-	runAsGroup := int64(GlanceGID)
 
 	return &corev1.SecurityContext{
-		RunAsUser:  &runAsUser,
-		RunAsGroup: &runAsGroup,
+		RunAsUser:  ptr.To(GlanceUID),
+		RunAsGroup: ptr.To(GlanceGID),
 		Capabilities: &corev1.Capabilities{
 			Drop: []corev1.Capability{
 				"MKNOD",
@@ -40,12 +38,12 @@ func dbSyncSecurityContext() *corev1.SecurityContext {
 // BaseSecurityContext - currently used to make sure we don't run cronJob and Log
 // Pods as root user, and we drop privileges and Capabilities we don't need
 func BaseSecurityContext() *corev1.SecurityContext {
-	falseVal := true
-	runAsUser := int64(GlanceUID)
 
 	return &corev1.SecurityContext{
-		RunAsUser:                &runAsUser,
-		AllowPrivilegeEscalation: &falseVal,
+		RunAsUser:                ptr.To(GlanceUID),
+		RunAsGroup:               ptr.To(GlanceGID),
+		RunAsNonRoot:             ptr.To(true),
+		AllowPrivilegeEscalation: ptr.To(false),
 		Capabilities: &corev1.Capabilities{
 			Drop: []corev1.Capability{
 				"ALL",
@@ -57,11 +55,32 @@ func BaseSecurityContext() *corev1.SecurityContext {
 	}
 }
 
+// APISecurityContext -
+func APISecurityContext(userID int64, privileged bool) *corev1.SecurityContext {
+
+	return &corev1.SecurityContext{
+		AllowPrivilegeEscalation: ptr.To(true),
+		RunAsUser:                ptr.To(userID),
+		Privileged:               &privileged,
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+	}
+}
+
 // HttpdSecurityContext -
 func HttpdSecurityContext() *corev1.SecurityContext {
 
-	runAsUser := int64(GlanceUID)
 	return &corev1.SecurityContext{
-		RunAsUser: &runAsUser,
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{
+				"MKNOD",
+			},
+		},
+		RunAsUser:  ptr.To(GlanceUID),
+		RunAsGroup: ptr.To(GlanceGID),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
 	}
 }
diff --git a/pkg/glanceapi/cachejob.go b/pkg/glanceapi/cachejob.go
@@ -16,22 +16,20 @@ limitations under the License.
 package glanceapi
 
 import (
+	"fmt"
 	glancev1 "github.com/openstack-k8s-operators/glance-operator/api/v1beta1"
 	"github.com/openstack-k8s-operators/glance-operator/pkg/glance"
-
-	"fmt"
-
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 // ImageCacheJob -
 func ImageCacheJob(
 	instance *glancev1.GlanceAPI,
 	cronSpec glance.CronJobSpec,
 ) *batchv1.CronJob {
-	runAsUser := int64(0)
 	var config0644AccessMode int32 = 0644
 
 	cronCommand := fmt.Sprintf(
@@ -100,6 +98,9 @@ func ImageCacheJob(
 					Completions: &completions,
 					Template: corev1.PodTemplateSpec{
 						Spec: corev1.PodSpec{
+							SecurityContext: &corev1.PodSecurityContext{
+								FSGroup: ptr.To(glance.GlanceUID),
+							},
 							Affinity: GetGlanceAPIPodAffinity(instance),
 							Containers: []corev1.Container{
 								{
@@ -108,11 +109,9 @@ func ImageCacheJob(
 									Command: []string{
 										"/bin/bash",
 									},
-									Args:         args,
-									VolumeMounts: cronJobVolumeMounts,
-									SecurityContext: &corev1.SecurityContext{
-										RunAsUser: &runAsUser,
-									},
+									Args:            args,
+									VolumeMounts:    cronJobVolumeMounts,
+									SecurityContext: glance.BaseSecurityContext(),
 								},
 							},
 							Volumes:            cronJobVolume,

diff --git a/pkg/glanceapi/statefulset.go b/pkg/glanceapi/statefulset.go
@@ -50,8 +50,7 @@ func StatefulSet(
 	annotations map[string]string,
 	privileged bool,
 ) (*appsv1.StatefulSet, error) {
-	runAsUser := int64(0)
-
+	userID := glance.GlanceUID
 	startupProbe := &corev1.Probe{
 		FailureThreshold: 6,
 		PeriodSeconds:    10,
@@ -180,6 +179,9 @@ func StatefulSet(
 					Labels:      labels,
 				},
 				Spec: corev1.PodSpec{
+					SecurityContext: &corev1.PodSecurityContext{
+						FSGroup: &userID,
+					},
 					ServiceAccountName: instance.Spec.ServiceAccount,
 					// When using Cinder we run as privileged, but also some
 					// commands need to be run on the host using nsenter (eg:
@@ -220,16 +222,14 @@ func StatefulSet(
 								"-c",
 								string(GlanceServiceCommand),
 							},
-							Image: instance.Spec.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
-							},
-							Env:            env.MergeEnvs([]corev1.EnvVar{}, envVars),
-							VolumeMounts:   httpdVolumeMount,
-							Resources:      instance.Spec.Resources,
-							StartupProbe:   startupProbe,
-							ReadinessProbe: readinessProbe,
-							LivenessProbe:  livenessProbe,
+							Image:           instance.Spec.ContainerImage,
+							SecurityContext: glance.HttpdSecurityContext(),
+							Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
+							VolumeMounts:    httpdVolumeMount,
+							Resources:       instance.Spec.Resources,
+							StartupProbe:    startupProbe,
+							ReadinessProbe:  readinessProbe,
+							LivenessProbe:   livenessProbe,
 						},
 						{
 							Name: glance.ServiceName + "-api",
@@ -243,12 +243,9 @@ func StatefulSet(
 								"-c",
 								string(GlanceServiceCommand),
 							},
-							Image: instance.Spec.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser:  &runAsUser,
-								Privileged: &privileged,
-							},
-							Env: env.MergeEnvs([]corev1.EnvVar{}, envVars),
+							Image:           instance.Spec.ContainerImage,
+							SecurityContext: glance.APISecurityContext(userID, privileged),
+							Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts: append(glance.GetVolumeMounts(
 								instance.Spec.CustomServiceConfigSecrets,
 								privileged,

diff --git a/templates/glanceapi/config/glance-api-config.json b/templates/glanceapi/config/glance-api-config.json
@@ -4,20 +4,20 @@
       {
         "source": "/var/lib/config-data/default/00-config.conf",
         "dest": "/etc/glance/glance.conf.d/00-config.conf",
-        "owner": "glance",
+        "owner": "glance:glance",
         "perm": "0600"
       },
       {
         "source": "/var/lib/config-data/default/02-config.conf",
         "dest": "/etc/glance/glance.conf.d/02-config.conf",
-        "owner": "glance",
+        "owner": "glance:glance",
         "perm": "0600",
         "optional": true
       },
       {
         "source": "/var/lib/config-data/default/03-config.conf",
         "dest": "/etc/glance/glance.conf.d/03-config.conf",
-        "owner": "glance",
+        "owner": "glance:glance",
         "perm": "0640",
         "optional": true
       },
@@ -68,6 +68,16 @@
             "path": "/var/log/glance",
             "owner": "glance:glance",
             "recurse": true
+        },
+        {
+            "path": "/var/lib/glance",
+            "owner": "glance:glance",
+            "recurse": true
+        },
+        {
+            "path": "/etc/glance/glance.conf.d",
+            "owner": "glance:glance",
+            "recurse": true
         }
     ]
 }