neelanjan00
commented
1 year ago Hi @mtcolman, have you gone through this doc: https://litmuschaos.github.io/litmus/experiments/concepts/security/openshift-scc/
Open mtcolman opened 1 year ago
neelanjan00
commented
1 year ago Hi @mtcolman, have you gone through this doc: https://litmuschaos.github.io/litmus/experiments/concepts/security/openshift-scc/
mtcolman
commented
1 year ago @neelanjan00 yes I have, and it's nothing to with the above; the link explains how to set up an SSC for the privileged experiments (which is after all of the above).
see-quick
commented
1 year ago As a user, I assume then when I try to deploy an operator using the Helm tool I would not do the following steps with the SCCs. This is not user-friendly at all.
SrikanthSrinivasamurthy
commented
11 months ago Hi @mtcolman We have one more issue with respect openshift SCC since we have restricted annotation added to pods of deployment during runtime which restrict securityContext.runAsUser
openshift.io/scc: restricted-v2
seccomp.security.alpha.kubernetes.io/pod: runtime/defaultduring deployment of litmus-3.0.2 in to openshift getting this below error
same with front-end & auth-server deployement This is override file used
portalScope: cluster
portal:
frontend:
automountServiceAccountToken: false
securityContext: {}
#runAsUser: 2000
#allowPrivilegeEscalation: false
#runAsNonRoot: true
server:
replicas: 1
updateStrategy: {}
serviceAccountName: litmus-server-account
customLabels: {}
waitForMongodb:
securityContext: {}
#runAsUser: 101
#allowPrivilegeEscalation: false
#runAsNonRoot: true
#readOnlyRootFilesystem: true
# my.company.com/tier: "backend"
graphqlServer:
securityContext: {}
#runAsUser: 2000
#allowPrivilegeEscalation: false
#runAsNonRoot: true
#readOnlyRootFilesystem: true
authServer:
securityContext:
runAsUser: 2000
allowPrivilegeEscalation: false
runAsNonRoot: true
readOnlyRootFilesystem: true
automountServiceAccountToken: false
mongodb:
enabled: true
auth:
enabled: true
rootUser: "root"
rootPassword: "1234"
# -- existingSecret Existing secret with MongoDB(®) credentials (keys: `mongodb-passwords`, `mongodb-root-password`, `mongodb-metrics-password`, ` mongodb-replica-set-key`)
existingSecret: ""
architecture: replicaset
replicaCount: 3
persistence:
enabled: false
volumePermissions:
enabled: false
metrics:
enabled: false
prometheusRule:
enabled: false
podSecurityContext:
enabled: false
containerSecurityContext:
enabled: false
volumePermissions:
enabled: false
securityContext: {}
tls:
enabled: falseSince its giving above error i was giving securityContext: {} but still in frontend its giving permission denied error for /etc/nginx/nginx.conf
mtcolman
commented
11 months ago @SrikanthSrinivasamurthy this is likely due to the fact that access to /etc/nginx/nginx.conf has not been granted to the arbitrary UID or GID 0 which you'll be assigned when using restricted/restricted-v2 SCC. So either:
chown 2000:0 and chmod g=u the file; or
Hi, I'd like for the litmus install to be compatible with OpenShift SCCs. I have taken
https://litmuschaos.github.io/litmus/3.0.0-beta2/litmus-3.0.0-beta2.yamland modified it to be compatible and follow good security practices, my new version is attached below. I've written up an explanation, hopefully it all makes sense.Note: I think a potential for an even better way to make this OpenShift compatible would be to not need to run the containers & initContainers as a specific UID/GID so that they could work with restricted SCC, but that would involve making changes to the container images themselves (i.e. chown/chgrp directory & file permissions to ensure compatibility etc) - happy to discuss that too if required.
I initially tried installing via
oc apply -f https://litmuschaos.github.io/litmus/3.0.0-beta2/litmus-3.0.0-beta2.yamland have found that none of the litmus pods are able to start up, only mongo does. Upon further investigation this is due to the configuration's incompatibility with the default security context constraint "restricted".The appears to be caused by the fact the
runAsUsersecurityContext is specified for the containers. I therefore need to add the permission to use thenonrootserviceAccount for these pods. I've found at this point that only thelitmus-serverhas an SA created for it - thefrontendandauth-serverwould default to using thedefaultSA in the namespace - adding permissions to this would be bad security practice. I've therefore created a new SA for each of thefrontendandauth-serverdeployments.and
and
I've then added the permission to use
nonrootto the serviceAccounts via:Having removed the installation (3 x deployments, 1 x statefulSet (mongo)) and reinstalled, I've still hit problems with
litmus-serverandlitmus-auth-serverpods starting up. I then discovered this was due to thelitmuschaos/curl:3.0.0-beta2image being used as aninitContainerwithin both. The error given isError: container has runAsNonRoot and image has non-numeric user (curl_user), cannot verify user is non-root.To overcome this I've had a look in the container to find the user and group assigned to the
curl_user:using this, I have then updated the
initContainerspecifications in these deployments to include the appropriatesecurityContext:I am then able to deploy litmuschaos in a manner that all pods start up:
I've noted that
mongois using thedefaultservice account, and therestrictedSCC. And therefore for completeness I then create and assign a new service account for it, which will use therestrictedSCC:Following a deployment, I then have:
With all this in place, I've been able to log in:
Not yet had a chance to test in further depth.
Here is the yaml file I have with my changes in it (had to convert to
.txtto upload it to GitHub): litmus-3.0.0-beta2_MC.yaml.txtAlso: I've seen the deployments that subsequently get created get stuck as well (see
READY 0/1):and to resolve this, needed to perform the following on the new SAs: