Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

K8S securityContext / runAsNonRoot #383

Open
m4r1u2 opened this issue Jun 9, 2021 · 3 comments · May be fixed by #1728
Open

K8S securityContext / runAsNonRoot #383

m4r1u2 opened this issue Jun 9, 2021 · 3 comments · May be fixed by #1728

Comments

@m4r1u2
Copy link

m4r1u2 commented Jun 9, 2021

We have a policy of not running any containers as root.
By default it looks like all awx and redis containers is starting as root and will fail/not start in our cluster do to default PSP in cluster.

If i manually update deployment manifest with SecurityContext for container is looks like its working...

containers:
  - name: redis
    securityContext:
      runAsUser: 999
...
  - name: awx-ee
    securityContext:
      runAsUser: 1000
...
  - name: awx-web
    securityContext:
      runAsUser: 1000
      runAsGroup: 0
...
  - name: awx-task
    securityContext:
      runAsUser: 1000
      runAsGroup: 0

Running as root is general not a recommended practice.

I also had to manually create file in container awx-task.:

bash-4.4$ touch /var/lib/awx/rsyslog/rsyslog.conf

log-output before fix.
Somehow this file was not generated.

rsyslogd: could not open config file '/var/lib/awx/rsyslog/rsyslog.conf': No such file or directory [v8.1911.0-7.el8 try https://www.rsyslog.com/e/2104 ]
rsyslogd: run failed with error -2104 (see rsyslog.h or try https://www.rsyslog.com/e/2104 to learn what that number means)

What about adding a SecurityContext or a general Spec in the crds to override this?
Or sync dockerimage + deployment with correct non-root user to allow read-write where its needed.
@ebarped
Copy link

ebarped commented Jun 9, 2021
edited
Loading

Im using the 0.10.0 tag, and my containers run like this:

  • redis: uid=0(root) gid=0(root) groups=0(root)
  • web: uid=1000(awx) gid=0(root) groups=0(root)
  • task: uid=1000(awx) gid=0(root) groups=0(root)
  • ee: uid=1000(runner) gid=0(root) groups=0(root)

So the only one that has to be changed is the redis one.

BTW, im having the same problem with the rsyslog file.. Also tested 0.9.0 and same error. Maybe we should rise a different issue.

@cnukwas
Copy link

cnukwas commented Sep 21, 2021

Any idea if this would be part of a future release, to avoid manual changes to the deployment YAML?
OpenShift wouldn't allow pods to run as root by default, ideal to know or set up SCC as part of the AWX instance or pre-requisite step.

@toby181
Copy link

toby181 commented Sep 23, 2021

I'm using the postgres and redis image from bitnami as a workaround since they run as non-root.
https://hub.docker.com/r/bitnami/redis/
https://hub.docker.com/r/bitnami/postgresql/

From my awx-demo.yaml file:

spec:
postgres_image: bitnami/postgresql
# postgres_image_version: 12
redis_image: bitnami/redis
# redis_image_version: latest

@marekzebro marekzebro mentioned this issue Sep 29, 2021
Open
@PaulVerhoeven1 PaulVerhoeven1 mentioned this issue May 2, 2022
Open
@gdasson gdasson linked a pull request Feb 28, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add container level security context for task and web deployments gdasson/awx-operator-fixes
4 participants
@m4r1u2 @ebarped @cnukwas @toby181