Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security context not respected #7

Closed
unguiculus opened this issue Feb 22, 2019 · 10 comments
Closed

Security context not respected #7

unguiculus opened this issue Feb 22, 2019 · 10 comments

Comments

@unguiculus
Copy link
Contributor

I'm trying to use local-path-provisioner with kind. While it seems to generally work with multi-node clusters, security contexts are not respected. Volumes are always mounted with root as group. Here's a simple example that demonstrates this:

apiVersion: v1
kind: Pod
metadata:
  name: local-path-test
  labels:
    app.kubernetes.io/name: local-path-test
spec:
  containers:
    - name: test
      image: busybox
      command:
        - /config/test.sh
      volumeMounts:
        - name: test
          mountPath: /test
        - name: config
          mountPath: /config
  securityContext:
    fsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
  terminationGracePeriodSeconds: 0
  volumes:
    - name: test
      persistentVolumeClaim:
        claimName: local-path-test
    - name: config
      configMap:
        name: local-path-test
        defaultMode: 0555

---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: local-path-test
  labels:
    app.kubernetes.io/name: local-path-test
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: "1Gi"
  storageClassName: local-path

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: local-path-test
  labels:
    app.kubernetes.io/name: local-path-test
data:
  test.sh: |
    #!/bin/sh

    ls -al /test

    echo 'Hello from local-path-test'
    cp /config/text.txt /test/test.txt
    touch /test/foo

  text.txt: |
    some test content

Here's the log from the container:

total 4
drwxr-xr-x    2 root     root            40 Feb 22 09:50 .
drwxr-xr-x    1 root     root          4096 Feb 22 09:50 ..
Hello from local-path-test
cp: can't create '/test/test.txt': Permission denied
touch: /test/foo: Permission denied

As can be seen, the mounted volume has root as group instead of 1000 as specified by the security context. I also installed local-path-provisioner on Docker4Mac. The result is the same, so it is not a kind issue. Using the default storage class on Docker4Mac, it works as expected.
@unguiculus unguiculus mentioned this issue Feb 22, 2019
Closed
@rimusz
Copy link

rimusz commented Feb 22, 2019

yes, I can confirm that too!

@rimusz rimusz mentioned this issue Feb 22, 2019
Merged
@aojea
Copy link

aojea commented Feb 22, 2019

As can be seen, the mounted volume has root as group instead of 1000 as specified by the security context. I also installed local-path-provisioner on Docker4Mac. The result is the same, so it is not a kind issue. Using the default storage class on Docker4Mac, it works as expected.

I verified that the security context work in kind, at least these examples work https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

@unguiculus
Copy link
Contributor Author

@aojea The examples there don't use PVCs.

@aojea
Copy link

aojea commented Feb 22, 2019
edited
Loading

yeah, just wanted to confirm that security context works under kind 😅 , so the problem has to be in the provisioner

@yasker
Copy link
Member

yasker commented Feb 23, 2019
edited
Loading

@unguiculus @rimusz Unfortunately, it's something outside of provisioner's control. It's kubelet who created the directory.

The hostpath type PV doesn't support security context. It has to be root for the volume to be written in. See kubernetes/minikube#1990 and https://unofficial-kubernetes.readthedocs.io/en/latest/concepts/storage/volumes/#hostpath

the directories created on the underlying hosts are only writable by root. You either need to run your process as root in a privileged container or modify the file permissions on the host to be able to write to a hostPath volume

At the end of kubernetes/minikube#1990 there is a workaround provided.

I also found a PR to add fsGroup support to hostpath volume, but it wasn't accepted. kubernetes/kubernetes#39438

@yasker yasker mentioned this issue Feb 23, 2019
Closed
@BenTheElder
Copy link

This is unfortunate :(

Does the security group info at least make it to the provisioner? We could probably fix this in a similar way to how cleanup is handled?

side note: It might be nice to make the image used for cleanup configurable, we can probably use one of the standard kubernetes images in many cases to avoid needing another image to be pulled 😅 (and use a specific version to avoid :latest-> pull image).

@yasker
Copy link
Member

yasker commented Feb 25, 2019

@BenTheElder Yeah this should work. Let me give it a try.

yasker added a commit to yasker/local-path-provisioner that referenced this issue Feb 26, 2019
@yasker
Add security context support by creating a user accessible directory …
0f73345 
…beforehand

The permission of directory is 0770, because when a user login as group
e.g. group 1000, they're also belong to group 0. The default permission
for host path is 0700, which prevent group 0 from accessing the directory.

Fixes rancher#7 .

Also added test case `security-context.yaml` derived from @unguiculus 's
comment on the issue.
@yasker yasker closed this as completed in 3256bdf Feb 26, 2019
@yasker
Copy link
Member

yasker commented Feb 26, 2019

@BenTheElder @unguiculus @rimusz Alright, v0.0.3 has been released and the issue with security context should be fixed.

@BenTheElder I've also thrown in an option for "helper image", which used for creating and deleting (cleanup) directories on the node now.

@BenTheElder
Copy link

Very cool, thank you!

@unguiculus unguiculus mentioned this issue Feb 27, 2019
Merged
yasker pushed a commit that referenced this issue Mar 2, 2019
@unguiculus @yasker
Fix permissions
b8bd3b1 
This is a follow-up PR for #7, since 3256bdf, unfortunately, did not fully fix the issue.

The example I supplied is not ideal. It works with your fix because it uses Busybox which doesn't have group 1000 so the user runs with gid=0. I added `id` to the script which prints the following:

`uid=1000 gid=0(root) groups=0(root),1000`

Now, when I use an image that actually has a user with uid=1000, gid=1000, such as `jenkins/jenkins` it doesn't work because the user does not belong to group 0 in this case:

`uid=1000 gid=0(root) groups=0(root),1000`

This fixes the issue using `0777` as Minikube does.
yasker added a commit that referenced this issue Mar 2, 2019
@yasker
Local Path Provisioner v0.0.4 release
c1d3659 
Thanks to Reinhard Nägele <[email protected]>, one additional PR has
been merged to correctly fix #7 .

See commit message and #9 for details
@praveenkumar praveenkumar mentioned this issue Nov 19, 2019
Closed
@eli-kaplan eli-kaplan mentioned this issue Jul 23, 2021
Closed
@jamesgoodhouse jamesgoodhouse mentioned this issue Aug 27, 2021
Closed
@jamesgoodhouse
Copy link

Hate to ping on a super old issue, but there's #41 that seems to be the same thing that was fixed in this issue. Is this an entirely different thing? I'm currently experiencing troubles getting fsGroup to be respected, even though my config looks very similar to the example one contained in the fix (3256bdf).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@BenTheElder @unguiculus @yasker @jamesgoodhouse @rimusz @aojea