search

headlamp-k8s / headlamp

A Kubernetes web UI that is fully-featured, user-friendly and extensible
https://headlamp.dev
Apache License 2.0
2.22k stars 156 forks source link

Support for best-practices SecurityContext #1116

Closed sudermanjr closed 1 year ago

sudermanjr commented 1 year ago

I am trying to deploy headlamp in a Kubernetes cluster with some specific security requirements. Currently, it seems the Dockerfile does not allow running as a non-root user in a Kubernetes cluster. Additionally, I have not been able to get the readOnlyFilesystem flag to work either.

Adding the security context block to the deployment yaml (for the container spec) results in a crashing container:

Full deployment spec:

kind: Deployment
apiVersion: apps/v1
metadata:
  name: headlamp
  namespace: headlamp
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: headlamp
  template:
    metadata:
      labels:
        k8s-app: headlamp
    spec:
      containers:
      - name: headlamp
        image: ghcr.io/headlamp-k8s/headlamp:v0.17.0
        args:
          - "-in-cluster"
          - "-plugins-dir=/headlamp/plugins"
        ports:
        - containerPort: 4466
        securityContext:
          runAsUser: 1200
          allowPrivilegeEscalation: false
          privileged: false
          readOnlyRootFilesystem: false
          runAsNonRoot: true
          capabilities:
            drop:
              - ALL
        livenessProbe:
          httpGet:
            scheme: HTTP
            path: /
            port: 4466
          initialDelaySeconds: 30
          timeoutSeconds: 30
        resources:
          limits:
            cpu: 500m
            memory: 200Mi
          requests:
            cpu: 500m
            memory: 200Mi
        volumeMounts:
          - name: plugins
            mountPath: /headlamp/plugins
      volumes:
        - emptyDir: {}
          name: plugins
      nodeSelector:
        'kubernetes.io/os': linux

The logs show:

2023/05/01 17:21:42 error creating plugins directory: mkdir /.config: permission denied
2023/05/01 17:21:42 static plugin dir:
2023/05/01 17:21:42 plugins-dir: /headlamp/plugins
2023/05/01 17:21:42 open /headlamp/frontend/index.baseUrl.html: permission denied
sudermanjr commented 1 year ago

~Realizing now that the helm chart provides more detailed options, so I'm going to try that route instead and will update or close if possible~

Same problem when defining via helm chart, with the following values file, using the commented values from the chart.

image:
  pullPolicy: Always
  tag: v0.17.0
podSecurityContext:
  fsGroup: 1000
securityContext:
  capabilities:
    drop:
    - ALL
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  runAsUser: 1000
  allowPrivilegeEscalation: false
resources:
  limits:
    cpu: 200m
    memory: 100Mi
  requests:
    cpu: 200m
    memory: 100Mi
illume commented 1 year ago

Hi @sudermanjr

I started on https://github.com/headlamp-k8s/headlamp/pull/877 which lets the container use not root user. I think @knrt10 was interested in finishing that off.

knrt10 commented 1 year ago

@sudermanjr thank you for your issue. As @illume mentioned, I am currently looking into the above mentioned issue, so once it is fixed you should be able to run as non-root

knrt10 commented 1 year ago

@sudermanjr #877 is merged. If you try with the latest code(will be included in next release), I think you can use headlamp as a non root. Can you please check and update the issue accordingly. Thanks

illume commented 1 year ago

Headlamp v0.17.1 was released a little while ago which includes the #877 least priv changes. https://github.com/headlamp-k8s/headlamp/releases/tag/v0.17.1

Thanks @sudermanjr again for the issue.

I'll close this now, but if there's something else to improve I'd love to know.