search

vmware-samples / cloud-native-storage-self-service-manager

Cloud Native Storage (CNS) Manager is a diagnostic and self-service tool that helps detect and auto-remediate some of the known issues in storage control plane.
Apache License 2.0
15 stars 4 forks source link

nginx and swagger-ui container need privileged securityContext #8

Closed owwweiha closed 1 year ago

owwweiha commented 1 year ago

Describe the bug

Currently, no securityContext is set for the nginx and swagger-ui container. Both need privileged: true to start in restricted environments. So this is missing on both containers:

          securityContext:
            privileged: true

Without privileged, you'll get this error on nginx:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/ /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh 10-listen-on-ipv6-by-default.sh: info: ipv6 not available /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh /docker-entrypoint.sh: Configuration complete; ready for start up 2023/03/28 11:50:32 [emerg] 1#1: chown("/var/cache/nginx/client_temp", 101) failed (1: Operation not permitted) nginx: [emerg] chown("/var/cache/nginx/client_temp", 101) failed (1: Operation not permitted)

and this error on swagger-ui:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/ /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh 10-listen-on-ipv6-by-default.sh: info: ipv6 not available /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh /docker-entrypoint.sh: Launching /docker-entrypoint.d/40-swagger-ui.sh /docker-entrypoint.sh: Configuration complete; ready for start up 2023/03/28 11:52:06 [emerg] 1#1: chown("/var/cache/nginx/client_temp", 101) failed (1: Operation not permitted) nginx: [emerg] chown("/var/cache/nginx/client_temp", 101) failed (1: Operation not permitted)

Reproduction steps

  1. Deploy in restricted environment (PSP/PSA restricted enabled)
  2. Nginx and swagger-ui will fail

Expected behavior

Both container should run out of the box

Additional context

No response

gohilankit commented 1 year ago

@owwweiha Can you explain more on what kind of restricted environment?

If PSA restricted is enabled on a cluster level, then I believe a whole lot of pods will be affected and the admin will have to adjust security context for each deployment in the cluster. If it's at namespace level, then we're actually deploying cns-manager in its own namespace. IMO the user/admin should make necessary adjustments to manifests when deploying in a PSA/PSP restricted environment. Let me know your thoughts.

owwweiha commented 1 year ago

Hi @gohilankit,

I noticed that the deployment uses a RoleBinding refering to the ClusterRole psp:vmware-system-privileged which does not exist in our environment (TKGI). After creating a ClusterRole with the same name referting to the pks-privileged PSP everything works fine now, even without setting the securityContext on Swagger UI and NGINX (but it's always a good idea to explicit set a SecurityContext IMHO).

Thank you!