Run containers as non-root w/o escalation privs

Co-authored-by: Jacob Floyd <[email protected]>

Author: jk464

templates/_helpers.tpl

@@ -422,3 +422,21 @@ Create the custom env list for each deployment
   value: {{ $value | quote }}
   {{- end }}
 {{- end -}}
+
+{{/*
+Define st2web ports
+*/}}
+{{- define "stackstorm-ha.st2web.http_port" -}}
+{{- if ne (default 0 ((($.Values.st2web.securityContext).runAsUser) | int)) 0 -}}
+8080
+{{- else -}}
+80
+{{- end -}}
+{{- end -}}
+{{- define "stackstorm-ha.st2web.https_port" -}}
+{{- if ne (default 0 ((($.Values.st2web.securityContext).runAsUser) | int)) 0 -}}
+8443
+{{- else -}}
+443
+{{- end -}}
+{{- end -}}

templates/deployments.yaml

@@ -439,13 +439,15 @@ spec:
         securityContext: {{- toYaml . | nindent 10 }}
         {{- end }}
         ports:
-        - containerPort: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }}
+        {{- $https_port := include "stackstorm-ha.st2web.https_port" . }}
+        {{- $http_port := include "stackstorm-ha.st2web.http_port" . }}
+        - containerPort: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary $https_port $http_port }}
         # Probe to check if app is running. Failure will lead to a pod restart.
         livenessProbe:
           httpGet:
             scheme: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary "HTTPS" "HTTP" }}
             path: /
-            port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }}
+            port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary $https_port $http_port }}
           initialDelaySeconds: 1
         # Probe to check if app is ready to serve traffic. Failure will lead to temp stop serving traffic.
         # TODO: Failing to add readinessProbe, since st2 requires authorization (401) and we don't have `/healthz` endpoints yet (https://github.com/StackStorm/st2/issues/4020)
@@ -1644,13 +1646,17 @@ spec:
         {{- end }}
         volumeMounts:
         - name: st2client-config-vol
+          {{- if eq .Values.st2.system_user.user "root" }}
           mountPath: /root/.st2/
+          {{- else }}
+          mountPath: /home/{{ .Values.st2.system_user.user }}/.st2/
+          {{- end }}
         # `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338
         command:
           - 'sh'
           - '-ec'
           - |
-            cat <<EOT > /root/.st2/config
+            cat <<EOT > /home/stanley/.st2/config
             {{- tpl .Values.st2client.st2clientConfig . | nindent 12 }}
             EOT
       containers:
@@ -1683,7 +1689,7 @@ spec:
         {{- end }}
         {{- include "stackstorm-ha.overrides-config-mounts" . | nindent 8 }}
         - name: st2client-config-vol
-          mountPath: /root/.st2/
+          mountPath: /home/stanley/.st2/
         - name: st2-ssh-key-vol
           mountPath: {{ tpl .Values.st2.system_user.ssh_key_file . | dir | dir }}/.ssh-key-vol/
         {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}

templates/jobs.yaml

@@ -164,13 +164,13 @@ spec:
         {{- end }}
         volumeMounts:
         - name: st2client-config-vol
-          mountPath: /root/.st2/
+          mountPath: /home/stanley/.st2/
         # `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338
         command:
           - 'sh'
           - '-ec'
           - |
-            cat <<EOT > /root/.st2/config
+            cat <<EOT > /home/stanley/.st2/config
             {{- tpl .Values.jobs.st2clientConfig . | nindent 12 }}
             EOT
       containers:
@@ -197,7 +197,7 @@ spec:
         {{- end }}
         volumeMounts:
         - name: st2client-config-vol
-          mountPath: /root/.st2/
+          mountPath: /home/stanley/.st2/
         - name: st2-apikeys-vol
           mountPath: /etc/st2/apikeys.yaml
           subPath: apikeys.yaml
@@ -290,13 +290,13 @@ spec:
         {{- end }}
         volumeMounts:
         - name: st2client-config-vol
-          mountPath: /root/.st2/
+          mountPath: /home/stanley/.st2/
         # `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338
         command:
           - 'sh'
           - '-ec'
           - |
-            cat <<EOT > /root/.st2/config
+            cat <<EOT > /home/stanley/.st2/config
             {{- tpl .Values.jobs.st2clientConfig . | nindent 12 }}
             EOT
       containers:
@@ -325,7 +325,7 @@ spec:
         volumeMounts:
         {{- include "stackstorm-ha.st2-config-volume-mounts" . | nindent 8 }}
         - name: st2client-config-vol
-          mountPath: /root/.st2/
+          mountPath: /home/stanley/.st2/
         - name: st2-kv-vol
           mountPath: /etc/st2/st2kv.yaml
           subPath: st2kv.yaml
@@ -660,13 +660,13 @@ spec:
         {{- end }}
         volumeMounts:
         - name: st2client-config-vol
-          mountPath: /root/.st2/
+          mountPath: /home/stanley/.st2/
         # `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338
         command:
           - 'sh'
           - '-ec'
           - |
-            cat <<EOT > /root/.st2/config
+            cat <<EOT > /home/stanley/.st2/config
             {{- tpl $.Values.jobs.st2clientConfig $ | nindent 12 }}
             EOT
       containers:
@@ -692,7 +692,7 @@ spec:
         {{- end }}
         volumeMounts:
         - name: st2client-config-vol
-          mountPath: /root/.st2/
+          mountPath: /home/stanley/.st2/
         {{- include "stackstorm-ha.overrides-config-mounts" $ | nindent 8 }}
         {{- include "stackstorm-ha.st2-config-volume-mounts" $ | nindent 8 }}
         {{- include "stackstorm-ha.packs-volume-mounts-for-register-job" $ | nindent 8 }}

templates/services.yaml

@@ -99,8 +99,10 @@ spec:
   {{- end }}
   {{- end }}
   ports:
+  {{- $https_port := include "stackstorm-ha.st2web.https_port" . }}
+  {{- $http_port := include "stackstorm-ha.st2web.http_port" . }}
   - protocol: TCP
-    port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }}
+    port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary $https_port $http_port }}
 
 {{ if .Values.st2chatops.enabled -}}
 ---

tests/unit/ingress_test.yaml

@@ -64,7 +64,7 @@ tests:
                 servicePort: 80
               - path: /fancy-sensor
                 serviceName: fancy-sensor
-                servicePort: 8080
+                servicePort: {{ template ".stackstorm-ha.st2web.http_port" . }}
         tls: []
       st2web:
         service:
@@ -105,4 +105,4 @@ tests:
             service:
               name: fancy-sensor
               port:
-                number: 8080
+                number: {{ template ".stackstorm-ha.st2web.http_port" . }}

values.yaml

@@ -300,8 +300,11 @@ st2:
 ## Default SecurityContext for pods and containers.
 ## Overrides available for st2web, st2actionrunner, st2sensorcontainer, st2client pods, and custom packs images.
 ##
-podSecurityContext: {}
-securityContext: {}
+podSecurityContext:
+  runAsNonRoot: true
+securityContext:
+  runAsUser: 1000
+  allowPrivilegeEscalation: false
 
 ##
 ## StackStorm HA Ingress
@@ -377,7 +380,10 @@ st2web:
     attach: false
   # override the default .podSecurityContext or .securityContext here
   podSecurityContext: {}
-  securityContext: {}  # NB: nginx requires some capabilities, drop ALL will cause issues.
+  securityContext: # NB: nginx requires some capabilities, drop ALL will cause issues.
+    runAsUser: 999  # run as nginx user
+    runAsGroup: 999 # run as nginx group
+    allowPrivilegeEscalation: false 
   # mount extra volumes on the st2web pod(s) (primarily useful for k8s-provisioned secrets)
   ## Note that Helm templating is supported in 'mount' and 'volume'
   extra_volumes: []
@@ -1050,6 +1056,15 @@ mongodb:
   arbiter:
     enabled: false
   resources: {}
+  podSecurityContext:
+    enabled: true
+    fsGroup: 1001
+    sysctls: []
+  containerSecurityContext:
+    enabled: true
+    runAsUser: 1001
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
 
 ##
 ## RabbitMQ configuration (3rd party chart dependency)
@@ -1097,7 +1112,12 @@ rabbitmq:
   # As RabbitMQ enabled prometheus operator monitoring by default, disable it for non-prometheus users
   metrics:
     enabled: false
-
+  podSecurityContext:
+    fsGroup: 1001
+    runAsUser: 1001
+    runAsNonRoot: true
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
 ##
 ## Redis HA configuration (3rd party chart dependency)
 ##
@@ -1133,6 +1153,14 @@ redis:
   usePassword: false
   metrics:
     enabled: false
+  securityContext:
+    enabled: true
+    fsGroup: 1001
+    runAsNonRoot: true
+  containerSecurityContext:
+    enabled: true
+    runAsUser: 1001
+    allowPrivilegeEscalation: false
 
 ##
 ## Settings to be applied to all stackstorm-ha pods