Feature/895 - helm chart security fixes for OasisPlatform #938
Conversation
sambles
changed the title
sambles
changed the title
| @@ -174,6 +176,7 @@ spec: | |||
|
|
|||
| volumes: | |||
| - name: realm-config | |||
| #readOnly: true | |||
There was a problem hiding this comment.
was this tested as ReadOnly, it should work since its not intended to be edited?
| @@ -16,7 +16,7 @@ spec: | |||
| app: {{ $name }} | |||
| strategy: | |||
| type: Recreate | |||
| replicas: 0 | |||
| replicas: 1 | |||
There was a problem hiding this comment.
Set this back to the default of 0
| securityContext: | ||
| readOnlyRootFilesystem: true |
There was a problem hiding this comment.
Error: INSTALLATION FAILED: YAML parse error on oasis/templates/oasis_worker_controller.yaml: error converting YAML to JSON: yaml: line 63: did not find expected '-' indicator
Indention error
| securityContext: | ||
| readOnlyRootFilesystem: true |
There was a problem hiding this comment.
Keycloak fails with a readOnly Filesystem:
NAME READY STATUS RESTARTS AGE
...
keycloak-5f7cc8c7c7-ngpp2 0/1 CrashLoopBackOff 5 (106s ago) 7m29s
ERROR: java.nio.file.FileSystemException: /opt/keycloak/lib/quarkus/quarkus-application.dat: Read-only file system
ERROR: /opt/keycloak/lib/quarkus/quarkus-application.dat: Read-only file system
For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.
See keycloak/keycloak#11286 for workaround
| @@ -202,6 +202,8 @@ spec: | |||
| {{- include "h.initTcpAvailabilityCheckBySecret" (list . .Values.databases.oasis_db.name .Values.databases.celery_db.name .Values.databases.channel_layer.name) | nindent 8}} | |||
| containers: | |||
| - image: {{ .Values.images.oasis.platform.image }}:{{ .Values.images.oasis.platform.version }} | |||
| securityContext: | |||
| readOnlyRootFilesystem: true | |||
There was a problem hiding this comment.
celery beat fails because it needs access to a temp dir:
celery-beat-848fcc5cb-jlgbn 0/1 CrashLoopBackOff 6 (3m54s ago) 11m
File "/usr/lib/python3.10/tempfile.py", line 438, in gettempdir
return _os.fsdecode(_gettempdir())
File "/usr/lib/python3.10/tempfile.py", line 431, in _gettempdir
tempdir = _get_default_tempdir()
File "/usr/lib/python3.10/tempfile.py", line 362, in _get_default_tempdir
raise FileNotFoundError(_errno.ENOENT,
FileNotFoundError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/var/www/oasis']
Try mounting a RW volume to allow writing tmp files (see keycloak link)
| @@ -50,12 +50,15 @@ spec: | |||
| annotations: | |||
| checksum/{{ .Values.oasisServer.name }}: {{ toJson .Values.oasisWebsocket | sha256sum }} | |||
| spec: | |||
| #automountServiceAccountToken: false | |||
There was a problem hiding this comment.
PR is missing this request from the ticket
Disable automounting API credentials (service account or pod level, automountServiceAccountToken: false). If Kubernetes API is needed than it should be explicitly mounted.
I think this line should read as true (explicitly allowed for just this pod) while the default at the ServiceAccount level should be automount disabled (so all other pods don't have access
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
automountServiceAccountToken: True
There was a problem hiding this comment.
OasisPlatform/kubernetes/charts/oasis-platform/templates/oasis.yaml
Lines 252 to 273 in 534c45d
oasis-task-controller is also missing its ReadOnly mount, but that will also need a Read/Write mount to the /tmp directory, otherwise it will also crash, like with celery beat.
Feature/895
**IMPORTANT: Please attach or create an issue after submitting a Pull Request.
Helm chart security fixes for OasisPlatform
Modified files for Helm