Run containers as non-root w/o escalation privs

Co-authored-by: Jacob Floyd <[email protected]>

Author: jk464

templates/deployments.yaml

@@ -439,13 +439,13 @@ spec:
         securityContext: {{- toYaml . | nindent 10 }}
         {{- end }}
         ports:
-        - containerPort: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }}
+        - containerPort: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 8443 8080 }}
         # Probe to check if app is running. Failure will lead to a pod restart.
         livenessProbe:
           httpGet:
             scheme: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary "HTTPS" "HTTP" }}
             path: /
-            port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }}
+            port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 8443 8080 }}
           initialDelaySeconds: 1
         # Probe to check if app is ready to serve traffic. Failure will lead to temp stop serving traffic.
         # TODO: Failing to add readinessProbe, since st2 requires authorization (401) and we don't have `/healthz` endpoints yet (https://github.com/StackStorm/st2/issues/4020)
@@ -1644,13 +1644,17 @@ spec:
         {{- end }}
         volumeMounts:
         - name: st2client-config-vol
+          {{- if .Values.st2.system_user.user == 'root' }}
           mountPath: /root/.st2/
+          {{- else }}
+          mountPath: /home/{{ .Values.st2.system_user.user }}/.st2/
+          {{- end }}
         # `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338
         command:
           - 'sh'
           - '-ec'
           - |
-            cat <<EOT > /root/.st2/config
+            cat <<EOT > /home/stanley/.st2/config
             {{- tpl .Values.st2client.st2clientConfig . | nindent 12 }}
             EOT
       containers:
@@ -1683,7 +1687,7 @@ spec:
         {{- end }}
         {{- include "stackstorm-ha.overrides-config-mounts" . | nindent 8 }}
         - name: st2client-config-vol
-          mountPath: /root/.st2/
+          mountPath: /home/stanley/.st2/
         - name: st2-ssh-key-vol
           mountPath: {{ tpl .Values.st2.system_user.ssh_key_file . | dir | dir }}/.ssh-key-vol/
         {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}

templates/jobs.yaml

@@ -164,13 +164,13 @@ spec:
         {{- end }}
         volumeMounts:
         - name: st2client-config-vol
-          mountPath: /root/.st2/
+          mountPath: /home/stanley/.st2/
         # `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338
         command:
           - 'sh'
           - '-ec'
           - |
-            cat <<EOT > /root/.st2/config
+            cat <<EOT > /home/stanley/.st2/config
             {{- tpl .Values.jobs.st2clientConfig . | nindent 12 }}
             EOT
       containers:
@@ -197,7 +197,7 @@ spec:
         {{- end }}
         volumeMounts:
         - name: st2client-config-vol
-          mountPath: /root/.st2/
+          mountPath: /home/stanley/.st2/
         - name: st2-apikeys-vol
           mountPath: /etc/st2/apikeys.yaml
           subPath: apikeys.yaml
@@ -290,13 +290,13 @@ spec:
         {{- end }}
         volumeMounts:
         - name: st2client-config-vol
-          mountPath: /root/.st2/
+          mountPath: /home/stanley/.st2/
         # `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338
         command:
           - 'sh'
           - '-ec'
           - |
-            cat <<EOT > /root/.st2/config
+            cat <<EOT > /home/stanley/.st2/config
             {{- tpl .Values.jobs.st2clientConfig . | nindent 12 }}
             EOT
       containers:
@@ -325,7 +325,7 @@ spec:
         volumeMounts:
         {{- include "stackstorm-ha.st2-config-volume-mounts" . | nindent 8 }}
         - name: st2client-config-vol
-          mountPath: /root/.st2/
+          mountPath: /home/stanley/.st2/
         - name: st2-kv-vol
           mountPath: /etc/st2/st2kv.yaml
           subPath: st2kv.yaml
@@ -660,13 +660,13 @@ spec:
         {{- end }}
         volumeMounts:
         - name: st2client-config-vol
-          mountPath: /root/.st2/
+          mountPath: /home/stanley/.st2/
         # `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338
         command:
           - 'sh'
           - '-ec'
           - |
-            cat <<EOT > /root/.st2/config
+            cat <<EOT > /home/stanley/.st2/config
             {{- tpl $.Values.jobs.st2clientConfig $ | nindent 12 }}
             EOT
       containers:
@@ -692,7 +692,7 @@ spec:
         {{- end }}
         volumeMounts:
         - name: st2client-config-vol
-          mountPath: /root/.st2/
+          mountPath: /home/stanley/.st2/
         {{- include "stackstorm-ha.overrides-config-mounts" $ | nindent 8 }}
         {{- include "stackstorm-ha.st2-config-volume-mounts" $ | nindent 8 }}
         {{- include "stackstorm-ha.packs-volume-mounts-for-register-job" $ | nindent 8 }}

templates/services.yaml

@@ -100,7 +100,7 @@ spec:
   {{- end }}
   ports:
   - protocol: TCP
-    port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }}
+    port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 8443 8080 }}
 
 {{ if .Values.st2chatops.enabled -}}
 ---

values.yaml

@@ -300,8 +300,11 @@ st2:
 ## Default SecurityContext for pods and containers.
 ## Overrides available for st2web, st2actionrunner, st2sensorcontainer, st2client pods, and custom packs images.
 ##
-podSecurityContext: {}
-securityContext: {}
+podSecurityContext:
+  runAsNonRoot: true
+securityContext:
+  runAsUser: 1000
+  allowPrivilegeEscalation: false
 
 ##
 ## StackStorm HA Ingress
@@ -377,7 +380,10 @@ st2web:
     attach: false
   # override the default .podSecurityContext or .securityContext here
   podSecurityContext: {}
-  securityContext: {}  # NB: nginx requires some capabilities, drop ALL will cause issues.
+  securityContext: # NB: nginx requires some capabilities, drop ALL will cause issues.
+    runAsUser: 101  # run as nginx user
+    runAsGroup: 101 # run as nginx group
+    allowPrivilegeEscalation: false 
   # mount extra volumes on the st2web pod(s) (primarily useful for k8s-provisioned secrets)
   ## Note that Helm templating is supported in 'mount' and 'volume'
   extra_volumes: []
@@ -1050,6 +1056,15 @@ mongodb:
   arbiter:
     enabled: false
   resources: {}
+  podSecurityContext:
+    enabled: true
+    fsGroup: 1001
+    sysctls: []
+  containerSecurityContext:
+    enabled: true
+    runAsUser: 1001
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
 
 ##
 ## RabbitMQ configuration (3rd party chart dependency)
@@ -1097,7 +1112,12 @@ rabbitmq:
   # As RabbitMQ enabled prometheus operator monitoring by default, disable it for non-prometheus users
   metrics:
     enabled: false
-
+  podSecurityContext:
+    fsGroup: 1001
+    runAsUser: 1001
+    runAsNonRoot: true
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
 ##
 ## Redis HA configuration (3rd party chart dependency)
 ##
@@ -1133,6 +1153,14 @@ redis:
   usePassword: false
   metrics:
     enabled: false
+  securityContext:
+    enabled: true
+    fsGroup: 1001
+    runAsNonRoot: true
+  containerSecurityContext:
+    enabled: true
+    runAsUser: 1001
+    allowPrivilegeEscalation: false
 
 ##
 ## Settings to be applied to all stackstorm-ha pods