From b13a175668e8d120046462f08f6a78b43ddc05cf Mon Sep 17 00:00:00 2001 From: mosad Date: Fri, 29 May 2020 12:35:45 +0200 Subject: [PATCH 1/4] Reshape security context for AWX containers --- installer/roles/kubernetes/defaults/main.yml | 10 +++++++ .../kubernetes/templates/deployment.yml.j2 | 30 ++++++++++++++++++- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/installer/roles/kubernetes/defaults/main.yml b/installer/roles/kubernetes/defaults/main.yml index 701a659ad7..3bb3aacbf4 100644 --- a/installer/roles/kubernetes/defaults/main.yml +++ b/installer/roles/kubernetes/defaults/main.yml @@ -16,12 +16,19 @@ kubernetes_web_image: "{{ tower_package_name | default('ansible/awx_web') }}" web_mem_request: 1 web_cpu_request: 500 +web_security_context_enabled: true +web_security_context_privileged: false task_mem_request: 2 task_cpu_request: 1500 +task_security_context_enabled: true +task_security_context_privileged: false redis_mem_request: 2 redis_cpu_request: 500 +redis_security_context_enabled: true +redis_security_context_privileged: false +redis_security_context_user: 1001 kubernetes_redis_image: "redis" kubernetes_redis_image_tag: "latest" @@ -29,6 +36,9 @@ kubernetes_redis_config_mount_path: "/usr/local/etc/redis/redis.conf" memcached_mem_request: 1 memcached_cpu_request: 500 +memcached_security_context_enabled: true +memcached_security_context_privileged: false +memcached_security_context_user: 1001 kubernetes_memcached_version: "latest" kubernetes_memcached_image: "memcached" diff --git a/installer/roles/kubernetes/templates/deployment.yml.j2 b/installer/roles/kubernetes/templates/deployment.yml.j2 index f5cf12cb99..9334a44a50 100644 --- a/installer/roles/kubernetes/templates/deployment.yml.j2 +++ b/installer/roles/kubernetes/templates/deployment.yml.j2 @@ -89,6 +89,12 @@ spec: {% endif %} containers: - name: {{ kubernetes_deployment_name }}-web +{% if web_security_context_enabled is defined and web_security_context_enabled | bool %} + securityContext: +{% if web_security_context_privileged is defined %} + privileged: {{ web_security_context_privileged }} +{% endif %} +{% endif %} image: "{{ kubernetes_web_image }}:{{ kubernetes_web_version }}" imagePullPolicy: Always ports: @@ -178,8 +184,12 @@ spec: cpu: "{{ web_cpu_limit }}m" {% endif %} - name: {{ kubernetes_deployment_name }}-task +{% if task_security_context_enabled is defined and task_security_context_enabled | bool %} securityContext: - privileged: true +{% if task_security_context_privileged is defined %} + privileged: {{ task_security_context_privileged }} +{% endif %} +{% endif %} image: "{{ kubernetes_task_image }}:{{ kubernetes_task_version }}" command: - /usr/bin/launch_awx_task.sh @@ -270,6 +280,15 @@ spec: cpu: "{{ task_cpu_limit }}m" {% endif %} - name: {{ kubernetes_deployment_name }}-redis +{% if redis_security_context_enabled is defined and redis_security_context_enabled | bool %} + securityContext: +{% if redis_security_context_privileged is defined %} + privileged: {{ redis_security_context_privileged }} +{% endif %} +{% if redis_security_context_user is defined %} + runAsUser: {{ redis_security_context_user }} +{% endif %} +{% endif %} image: {{ kubernetes_redis_image }}:{{ kubernetes_redis_image_tag }} imagePullPolicy: Always args: ["redis-server", "{{ kubernetes_redis_config_mount_path }}"] @@ -295,6 +314,15 @@ spec: cpu: "{{ redis_cpu_limit }}m" {% endif %} - name: {{ kubernetes_deployment_name }}-memcached +{% if memcached_security_context_enabled is defined and memcached_security_context_enabled | bool %} + securityContext: +{% if memcached_security_context_privileged is defined %} + privileged: {{ memcached_security_context_privileged }} +{% endif %} +{% if memcached_security_context_user is defined %} + runAsUser: {{ memcached_security_context_user }} +{% endif %} +{% endif %} image: "{{ kubernetes_memcached_image }}:{{ kubernetes_memcached_version }}" imagePullPolicy: Always command: From 4a9603a7ea10163f980b355dda510dafb4c062dc Mon Sep 17 00:00:00 2001 From: mosad Date: Fri, 29 May 2020 20:24:49 +0200 Subject: [PATCH 2/4] Allow priv container for awx_task and option to create psp --- installer/roles/kubernetes/defaults/main.yml | 6 +- .../kubernetes/templates/deployment.yml.j2 | 64 +++++++++++++++++++ 2 files changed, 69 insertions(+), 1 deletion(-) diff --git a/installer/roles/kubernetes/defaults/main.yml b/installer/roles/kubernetes/defaults/main.yml index 3bb3aacbf4..659c4c04bb 100644 --- a/installer/roles/kubernetes/defaults/main.yml +++ b/installer/roles/kubernetes/defaults/main.yml @@ -14,6 +14,10 @@ kubernetes_task_image: "{{ tower_package_name | default('ansible/awx_task') }}" kubernetes_web_version: "{{ tower_package_version | default(dockerhub_version) }}" kubernetes_web_image: "{{ tower_package_name | default('ansible/awx_web') }}" +awx_psp_create: false +awx_psp_name: 'awx' +awx_psp_privileged: true + web_mem_request: 1 web_cpu_request: 500 web_security_context_enabled: true @@ -22,7 +26,7 @@ web_security_context_privileged: false task_mem_request: 2 task_cpu_request: 1500 task_security_context_enabled: true -task_security_context_privileged: false +task_security_context_privileged: true redis_mem_request: 2 redis_cpu_request: 500 diff --git a/installer/roles/kubernetes/templates/deployment.yml.j2 b/installer/roles/kubernetes/templates/deployment.yml.j2 index 9334a44a50..243b235c91 100644 --- a/installer/roles/kubernetes/templates/deployment.yml.j2 +++ b/installer/roles/kubernetes/templates/deployment.yml.j2 @@ -15,6 +15,70 @@ imagePullSecrets: - name: "{{ kubernetes_image_pull_secrets }}" {% endif %} +{% if awx_psp_create is defined and awx_psp_create | bool %} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ awx_psp_name }}-psp +spec: +{% if awx_psp_privileged is defined %} + privileged: {{ awx_psp_privileged }} + allowPrivilegeEscalation: {{ awx_psp_privileged }} +{% endif %} + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: {{ kubernetes_namespace }} + name: {{ awx_psp_name }}-role +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ awx_psp_name }}-psp + verbs: + - use + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ awx_psp_name }}-role-binding + namespace: {{ kubernetes_namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ awx_psp_name }}-role +subjects: +- kind: ServiceAccount + name: awx + namespace: {{ kubernetes_namespace }} +{% endif %} + --- apiVersion: {{ kubernetes_deployment_api_version }} kind: Deployment From 7d0c49c0435463ce053ff12fc2ea20f86e8d4756 Mon Sep 17 00:00:00 2001 From: mosad Date: Fri, 5 Jun 2020 23:41:20 +0200 Subject: [PATCH 3/4] Fix conflict --- installer/roles/kubernetes/templates/deployment.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installer/roles/kubernetes/templates/deployment.yml.j2 b/installer/roles/kubernetes/templates/deployment.yml.j2 index 243b235c91..12ab4c1411 100644 --- a/installer/roles/kubernetes/templates/deployment.yml.j2 +++ b/installer/roles/kubernetes/templates/deployment.yml.j2 @@ -159,7 +159,7 @@ spec: privileged: {{ web_security_context_privileged }} {% endif %} {% endif %} - image: "{{ kubernetes_web_image }}:{{ kubernetes_web_version }}" + image: "{{ kubernetes_awx_image }}:{{ kubernetes_web_version }}" imagePullPolicy: Always ports: - containerPort: 8052 From 1e6437b7739d51ef8f228be9c51457acfc9e12c2 Mon Sep 17 00:00:00 2001 From: mosad Date: Sat, 6 Jun 2020 00:17:26 +0200 Subject: [PATCH 4/4] Resolve conflict 2 --- .../roles/kubernetes/templates/deployment.yml.j2 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/installer/roles/kubernetes/templates/deployment.yml.j2 b/installer/roles/kubernetes/templates/deployment.yml.j2 index 12ab4c1411..7ab8a2804c 100644 --- a/installer/roles/kubernetes/templates/deployment.yml.j2 +++ b/installer/roles/kubernetes/templates/deployment.yml.j2 @@ -214,12 +214,12 @@ spec: readOnly: true - name: {{ kubernetes_deployment_name }}-supervisor-web-config - mountPath: "/supervisor.conf" + mountPath: "/etc/supervisord.conf" subPath: supervisor.conf readOnly: true - name: {{ kubernetes_deployment_name }}-supervisor-task-config - mountPath: "/supervisor_task.conf" + mountPath: "/etc/supervisord_task.conf" subPath: supervisor_task.conf readOnly: true @@ -294,12 +294,12 @@ spec: readOnly: true - name: {{ kubernetes_deployment_name }}-supervisor-web-config - mountPath: "/supervisor.conf" + mountPath: "/etc/supervisord.conf" subPath: supervisor.conf readOnly: true - name: {{ kubernetes_deployment_name }}-supervisor-task-config - mountPath: "/supervisor_task.conf" + mountPath: "/etc/supervisord_task.conf" subPath: supervisor_task.conf readOnly: true @@ -315,7 +315,7 @@ spec: mountPath: "/var/run/memcached" env: - name: SUPERVISOR_WEB_CONFIG_PATH - value: "/supervisor.conf" + value: "/etc/supervisord.conf" - name: AWX_SKIP_MIGRATIONS value: "1" - name: MY_POD_UID @@ -591,4 +591,4 @@ spec: name: {{ kubernetes_deployment_name }}-web-svc weight: 100 wildcardPolicy: None -{% endif %} +{% endif %} \ No newline at end of file