non-root user enabled images and k8s securityContext additions #671
Description
Is your feature request related to a problem? Please describe.
The default artemis helm-chart is not deployable on a k8s cluster with securityContext and non-root users requirements.
Describe the solution you'd like
- Images should be built to run as a non-root user.
...
RUN addgroup -g 15221 appuser
RUN adduser -S -u 15221 -G appuser appuser
RUN chown -R 15221:15221 /needed/path/for/proc
...
USER appuser:appuser
...
- helm-chart templates should include securityContext settings
...
spec:
template:
spec:
securityContext:
runAsUser: 15221
runAsGroup: 15221
fsGroup: 15221
containers:
...
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
...
Describe alternatives you've considered
I have modified the helm-chart templates and the Dockerfiles to fulfill this requirement. However, once Artemis releases a new update and we would like to upgrade the deployment, we would then have to again modify each Dockerfile to ensure compatibility with the cluster requirements.
The only container that needed heavier modification was the postgres-deployment.yaml and its Dockerfile.
Dockerfile
FROM timescale/timescaledb:2.8.1-pg14
RUN mkdir /postgres
WORKDIR /postgres
COPY postgres-entrypoint.sh .
RUN addgroup -g 15221 appuser
RUN adduser -S -u 15221 -G appuser appuser
RUN chown 15221:15221 /var/run/postgresql
RUN chown 15221:15221 postgres-entrypoint.sh
RUN chown -R 15221:15221 /var/lib/postgresql/data/pgdata
USER appuser
CMD postgres-entrypoint.sh
postgres-entrypoint.sh
#!/bin/bash
if [[ "${DB_BACKUP}" == "true" ]]; then
cat > /etc/periodic/daily/backup <<EOF
#!/bin/sh
pg_dump -d $POSTGRES_DB -U $POSTGRES_USER -F t -f /tmp/db.tar > /tmp/db.log 2>&1
EOF
chmod +x /etc/periodic/daily/backup
else
[ -e /etc/periodic/daily/backup ] && rm /etc/periodic/daily/backup
fi
re='^[0-9]+$'
if [[ $DB_AUTOCLEAN =~ $re ]]; then
cat > /etc/periodic/hourly/cleanup <<EOF
#!/bin/sh
psql -d $POSTGRES_DB -U $POSTGRES_USER -c "DELETE FROM bgp_updates WHERE timestamp < NOW() - interval '${DB_AUTOCLEAN} hours' AND hijack_key=ARRAY[]::text[];"
EOF
chmod +x /etc/periodic/hourly/cleanup
else
[ -e /etc/periodic/hourly/cleanup ] && rm /etc/periodic/hourly/cleanup
fi
re='^[0-9]+$'
if [[ $DB_HIJACK_DORMANT =~ $re ]]; then
cat > /etc/periodic/hourly/dormant <<EOF
#!/bin/sh
psql -d $POSTGRES_DB -U $POSTGRES_USER -c "UPDATE hijacks SET dormant=true WHERE time_last < NOW() - interval '${DB_HIJACK_DORMANT} hours' AND active=true AND dormant=false;"
EOF
chmod +x /etc/periodic/hourly/dormant
else
[ -e /etc/periodic/hourly/dormant ] && rm /etc/periodic/hourly/dormant
fi
#crond && docker-entrypoint.sh postgres
postgres-deployment.yaml
...
command: ['/bin/sh', '-c'] # Moved the script content to be run inside Dockerfile before switching to user appusers. This allows for setting up the cron jobs. The app is then started as the non-root user. Had to also provide ```-c max_connections=50``` as well, since the default 25 in our deployment was not enough.
args: ['crond && docker-entrypoint.sh postgres -c max_connections=50']
#- ./postgres-entrypoint.sh
volumeMounts:
# - mountPath: /postgres-entrypoint.sh
# name: postgres-configmap0
# subPath: postgres-entrypoint.sh
- mountPath: /docker-entrypoint-initdb.d/zinit.sql
name: postgres-configmap1
subPath: init.sql
- mountPath: /docker-entrypoint-initdb.d/data/
name: postgres-configmap2
- mountPath: /docker-entrypoint-initdb.d/libs/rabbitmq/
name: postgres-configmap3
- mountPath: /var/lib/postgresql/data/
name: postgres-pvc
readOnly: false
subPath: postgres-data
- mountPath: /var/lib/postgresql/data/pgdata/postgresql.conf
name: postgres-configmap0
subPath: postgresql.conf
- mountPath: /tmp/
name: postgres-pvc
subPath: postgres-backup
...
Additional thoughts
I think that the templates could conditionally include the securityContext specifications if incompatibilities with older k8s versions are expected?