hashicorp / boundary-reference-architecture

Example reference architecture for a high availability Boundary deployment on AWS.
https://boundaryproject.io
Mozilla Public License 2.0
213 stars 106 forks source link

EKS deployment failed: Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK #90

Open Anton-Sagurov opened 2 years ago

Anton-Sagurov commented 2 years ago

Hello, I tried to deploy the Boundary controller to EKS Kubernetes version 1.22, but container does not have enough privileges to chown the /boundary directory:

chown: /boundary/..2022_07_29_07_35_20.877353490/controller.hcl: Read-only file system
chown: /boundary/..2022_07_29_07_35_20.877353490: Read-only file system
chown: /boundary/..2022_07_29_07_35_20.877353490: Read-only file system
chown: /boundary/controller.hcl: Read-only file system
chown: /boundary/..data: Read-only file system
chown: /boundary: Read-only file system
chown: /boundary: Read-only file system
Could not chown /boundary (may not have appropriate permissions)
Couldn't start Boundary with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK

The boundary docker image: 0.9

I modified a bit example resources: controller.tf:

resource "kubernetes_namespace" "boundary" {
  metadata {
    name = var.namespace
  }
}

resource "kubernetes_secret" "boundary_url" {
  depends_on = [
    kubernetes_namespace.boundary,
  ]
  metadata {
    name = "boundary-rds-url"
    labels = var.controller_labels
    namespace = var.namespace
  }
  data = {
    POSTGRESS_URL="postgresql://${var.database_username}:${var.database_password}@${var.database_address}:${var.database_port}/${var.database_name}"
  }
}

resource "kubernetes_deployment" "boundary" {
  depends_on = [
    kubernetes_namespace.boundary,
    kubernetes_secret.boundary_url
  ]
  metadata {
    name   = var.controller_deployment
    labels = var.controller_labels
    namespace = var.namespace
  }

  spec {
    replicas = 1

    selector {
      match_labels = var.controller_labels
    }

    template {
      metadata {
        labels = var.controller_labels
      }

      spec {
        volume {
          name = "controller-config"

          config_map {
            name = "controller-config"
          }
        }

        container {
          image = "hashicorp/boundary:${var.image_ver}"
          name  = "controller"

          image_pull_policy = var.image_pull_pilicy
          volume_mount {
            name       = "controller-config"
            mount_path = "/boundary"
            read_only  = false
          }

          args = [
            "server",
            "-config",
            "/boundary/controller.hcl"
          ]

          env {
            name  = "POSTGRESS_URL"
            value_from  {
              secret_key_ref {
                name = "boundary-rds-url"
                key  = "POSTGRESS_URL"
              }
            }
          }

          env {
            name  = "HOSTNAME"
            value = "controller"
          }

          port {
            container_port = 9200
          }
          port {
            container_port = 9201
          }
          port {
            container_port = 9202
          }

          liveness_probe {
            http_get {
              path = "/"
              port = 9200
            }
          }

          readiness_probe {
            http_get {
              path = "/"
              port = 9200
            }
          }
        }
      }
    }
  }
}

resource "kubernetes_config_map" "controller_config" {
  depends_on = [
    kubernetes_namespace.boundary,
  ]

  metadata {
    name = "controller-config"
    labels = var.controller_labels
    namespace = var.namespace
  }

  data = {
    "controller.hcl" = <<EOF

disable_mlok = true

controller {
  name = "scylla-cloud-boundary"
  description = "Boundary controller" 
  database {
    url = "env://POSTGRESS_URL"
  }
}

listener "tcp" {
  address = "0.0.0.0"
  purpose = "api"
  tls_disable = true
}

listener "tcp" {
  address = "0.0.0.0"
  purpose = "cluster"
  tls_disable = true
}

listener "tcp" {
  address = "0.0.0.0"
  purpose = "proxy"
  tls_disable = true
}

kms "awskms" {
  purpose    = "root"
  kms_key_id = aws_kms_alias.root.kms_id
}

kms "awskms" {
  purpose = "worker-auth"
  kms_key_id = aws_kms_alias.worker_auth.kms_id
}

kms "awskms" {
  purpose = "recovery"
  kms_key_id = aws_kms_alias.recovery.kms_id
}
EOF
  }

}

resource "kubernetes_service" "boundary_controller" {
  depends_on = [
    kubernetes_namespace.boundary,
  ]
  metadata {
    name   = var.controller_deployment
    labels = var.controller_labels
    namespace = var.namespace
  }

  spec {
    type = "ClusterIP"
    selector = var.controller_labels

    port {
      name        = "api"
      port        = 9200
      target_port = 9200
    }
    port {
      name        = "cluster"
      port        = 9201
      target_port = 9201
    }
    port {
      name        = "data"
      port        = 9202
      target_port = 9202
    }
  }
}
Anton-Sagurov commented 2 years ago

The "fix" - is to rewrite the entrypoint:

command = [
  "boundary",
  "server",
  "-config",
  "/boundary/controller.hcl"
]

But then pod will run in the privileged mode (root user)