Open c4milo opened 3 months ago
@c4milo can you please run the same ls command on the containers of redpanda pods, for example I see on a kind cluster
$ ls -alh /var/lib/redpanda/
total 16K
drwxr-xr-x 1 redpanda redpanda 4.0K Apr 5 08:46 .
drwxr-xr-x 1 root root 4.0K Apr 5 08:46 ..
lrwxrwxrwx 1 root root 13 Apr 5 08:46 conf -> /etc/redpanda
drwxr-xr-x 2 redpanda redpanda 4.0K Apr 18 2019 coredump
drwxrwxrwx 5 root root 4.0K Apr 10 13:37 data
I would probably get the same result but that's not the real user or group owning the data in the node, right? Basically, in Azure's case, if the node gets compromised through any of these systemd components, the intruder will have full access to the data. So, ideally we use UIDs and GIDs dedicated to Redpanda.
Or better, we map them to the user and group nobody
in the host (usually 65534)
Is this really a limitation of the operator thought? We are asking that the container use a known user for the container. You are suggesting that the PVs be provisioned on the vm using that same user correct? Even though that user may not exist on the VMs' OS? Have you seen this work with other tools? If you have can you point them to me, it may help me close my knowledge gap quicker.
It would think it is if it doesn't let me set what I want. I'm setting fsgroup and it doesn't seem to be taking it.
we just found out there are more properties from securityContext
not being set despite we setting them: capabilities
, runAsGroup
, and privileged
FWIW, here is what I'm trying to set in most of our pods, this user and group should usually exist in the container and the host.
podSecurityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
fsGroup: 65534
securityContext:
privileged: false
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsUser: 65534
runAsGroup: 65534
I think you could test a simple change in setup local-path-provisioner script https://github.com/redpanda-data/cloudv2/blob/cec154918acf04bc8fc92f7475b66a7bf67eca8d/terraform/provisioners/kubernetes-redpanda-aws/files/local-path-provisioner.yaml#L139 to change the owner.
@c4milo, when you have a second would you mind verifying if the issue was due to local-path-provisioner or if we need to fix something on our end?
What happened?
Redpanda data directories are incorrectly being assigned the
systemd-journald
group ID, andsystemd-resolve
user ID in the host.What did you expect to happen?
The value I set as
fsGroup
to be set as group ID in Redpanda's data directory.How can we reproduce it (as minimally and precisely as possible)?. Please include values file.
Anything else we need to know?
The securityContext I'm setting:
Which are the affected charts?
Redpanda, Operator
Chart Version(s)
Cloud provider
JIRA Link: K8S-140