How to run conjur-oss in non-privileged

[jralmaraz]

Hi,

I have been trying to deploy the conjur-oss helm chart against a Openshift 4 cluster and have been facing permission issues. I suspect that the unprivileged/non-root restrictions imposed by Openshift's RBAC are the cause, but haven't found a straight forward way to work around yet.

Is there any recommended approach to run the conjur-oss helm chart in non-privileged containers?

Thanks in advance.

Jose

---

Nginx container:

2019/06/23 07:42:53 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied) nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

Conjur-oss container:

Rails Error: Unable to access log file. Please ensure that /opt/conjur-server/log/production.log exists and is writable (ie, make it writable for user and group: chmod 0664 /opt/conjur-server/log/production.log). The log level has been raised to WARN and the output directed to STDERR until the problem is fixed. authn-local requires directory "/run/authn-local" to exist and be a directory authn-local will not be enabled /usr/lib/ruby/2.5.0/fileutils.rb:232:in mkdir': Permission denied @ dir_s_mkdir - /opt/conjur-server/tmp/pids (Errno::EACCES) from /usr/lib/ruby/2.5.0/fileutils.rb:232:infu_mkdir' from /usr/lib/ruby/2.5.0/fileutils.rb:210:in block (2 levels) in mkdir_p' from /usr/lib/ruby/2.5.0/fileutils.rb:208:inreverse_each'

[jralmaraz]

Reference to deploy:

https://www.katacoda.com/quincycheng/scenarios/conjur-oss-on-openshift

https://github.com/cyberark/kubernetes-conjur-deploy

[jralmaraz]

I managed to work around the permission restrictions from openshift as below.

Not sure if that is a recommended approach for a production deployment, but for now its more for development.

Thanks.

References:

https://blog.openshift.com/getting-started-helm-openshift/

https://docs.openshift.com/container-platform/3.6/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile

            https://docs.openshift.com/container-platform/3.9/admin_guide/manage_scc.html#grant-access-to-the-privileged-scc

Before adjusting the permissions:

AU13247:katacoda-deployment joalmaraz$ oc get pods NAME READY STATUS RESTARTS AGE mottled-sloth-conjur-oss-7798678c65-n2h7l 0/2 CrashLoopBackOff 9 9m2s mottled-sloth-postgres-785589854f-d5wt9 1/1 Running 1 30m

AU13247:katacoda-deployment joalmaraz$ oc adm policy add-scc-to-user anyuid system:serviceaccount:opsmx:tiller scc "anyuid" added to: ["system:serviceaccount:opsmx:tiller"] AU13247:katacoda-deployment joalmaraz$ oc adm policy add-scc-to-group anyuid system:authenticated scc "anyuid" added to groups: ["system:authenticated"]

AU13247:katacoda-deployment joalmaraz$ oc get pods NAME READY STATUS RESTARTS AGE mottled-sloth-conjur-oss-7798678c65-vglk5 2/2 Running 0 58s mottled-sloth-postgres-785589854f-d5wt9 1/1 Running 1 31m

AU13247:katacoda-deployment joalmaraz$ export POD_NAME=$(oc get pods --namespace conjur \

-l "app=conjur-oss" \
-o jsonpath="{.items[0].metadata.name}")

AU13247:katacoda-deployment joalmaraz$ oc exec $POD_NAME --container=conjur-oss conjurctl account create "default"

Created new account account 'default' Token-Signing Public Key: -----BEGIN PUBLIC KEY-----

[sgnn7]

@jralmaraz Hey Jose, This repo's content in master branch is designed to be run only on regular Kubernetes deployment like GKE otherwise the SCC changes you made are required due to OpenShift being extremely painful to work with in this respect. We have a partial Proof-of-Concept implementation of an Openshift default RBAC-compliant helm chart in this PR that does not need SCC changes but it is only a prototype and clunky (it requires building our own images) so the usual warnings apply with that assurance level.

[hikkoiri]

Hey @sgnn7,

is there now any supported way to deploy Conjur on Openshift without changing the Security Context Constraints of the corresponding service account?

With the PR #29 you mentioned beeing rejected and the link to the Conjur Operator (which is mentioned in the PR) returning a 404, I don't know on how to continue.

Thanks for your help!

[sgnn7]

Hey @hikkoiri,

Is there now any supported way to deploy Conjur on Openshift without changing the Security Context Constraints of the corresponding service account?

• DAP (enterprise version of Conjur): Yes as a "follower". This has the master deployed somewhere else and a container-based follower runs in your cluster. I do not know what certification level it is in currently but that type of follower does not require SCC changes.
• Helm chart: Not really (but see notes below) :/
• Conjur OSS: Not officially supported but this should work fine if you have to provide your own PG/NGINX/syslog images and deployment config to tie it all together (also see notes).
• Operator (link you noticed): Not available yet. Sadly I cannot comment on the roadmap here or timelines but I would seek alternative options rather than waiting.

Re doing things on your own:

• From Conjur OSS: It's tricky but I think you can do it if you deploy the PG, NGINX, syslog, and Conjur yourself (no helm chart) since PG, NGINX, and syslog are not designed to run on OC ootb without that change (even conjur requires some subtle changes). The linked PR in my previous comment can be used to build all 4 images to where they don't require root privileges and has some sample chart code to tie it all together.
• From Helm chart: This push for that functionality in that same branch I mentioned has been paused but you could take bits/pieces from it and maybe apply some patches for things that happened on master recently. Work on Openshift isn't easy but there's enough there to get someone pretty far out of the gate.

I hope this answers your question but if it doesn't I can try to provide you with as much help as I can!

[hikkoiri]

Hey @sgnn7 , thank you for concluding the various options. It really helps!