Not sure about Exercise 6.6, security review
Hi,
I am not 100% sure I nailed the exercise in the topic.
In order to make nginx run I had to add a fsGroup: 101 so that the pod mounted the volumes with the correct user/group permissions (mounted volumes in order to overcome the permission denied issues I had with /var/cache/nginx and /var/run)
Also, it seems that using capabilities when the pod is not running as root won't work (https://github.com/kubernetes/kubernetes/issues/56374) so I used the suggested sysctls (https://github.com/kubernetes/kubernetes/issues/56374#issuecomment-928917495). What I am not sure about is the fact that I had to modify the pod securityContext rather than the container securityContext and that the course does not mention sysctls in the Lab 6.6.
here's my solution:
apiVersion: v1
kind: Pod
metadata:
name: securityreview
spec:
securityContext:
runAsUser: 101
fsGroup: 101 ##need this in order to mount volumes with correct permission
sysctls: ## this was found in in issue 56374: https://github.com/kubernetes/kubernetes/issues/56374#issuecomment-928917495
- name: net.ipv4.ip_unprivileged_port_start
value: "78" #pick a port number less than 80 and it will work
containers:
- name: webguy
image: nginx
securityContext:
runAsUser: 101
allowPrivilegeEscalation: false
# this is not working because when going from UID 0 to UID <> 0 the capabilities are removed
# capabilities:
# add: ["NET_ADMIN","NET_BIND_SERVICE"]
volumeMounts:
- name: nginx-temp
mountPath: /var/cache/nginx
- name: run-temp
mountPath: /var/run
volumes:
- name: nginx-temp
emptyDir: {}
- name: run-temp
emptyDir: {}
Is this a correct answer or am I missing something ?
Answers
-
Yes this indeed works i tried and it worked for me too. But why do we have to use the fsGroup and sysctls which are not even explained in the labs and also why we have to use volumes and volumemounts?
1 -
because the content creators, either purposely or neglectfully, left course takers to flounder in this domain review. leaving everyone to come up with their own solutions and maybe along the way absorbing some of the content by trial and error.
0
Categories
- All Categories
- 177 LFX Mentorship
- 177 LFX Mentorship: Linux Kernel
- 754 Linux Foundation IT Professional Programs
- 374 Cloud Engineer IT Professional Program
- 170 Advanced Cloud Engineer IT Professional Program
- 74 DevOps IT Professional Program - Discontinued
- 5 DevOps & GitOps IT Professional Program
- 100 Cloud Native Developer IT Professional Program
- 7.6K Training Courses & Learning Paths
- 2 AI & ML Training
- 1 Blockchain & Decentralized Identity Training
- 5 Cloud & Containers Training
- 1 Cybersecurity Training
- 2 DevOps & Site-Reliability Training
- 1 Linux Kernel Development Training
- 1 Networking Training
- 2 Open Source Best Practice Training
- 2 System Administration Training
- 1 System Engineering Training
- 1 Web & Application Development Training
- 794 Hardware
- 202 Drivers
- 68 I/O Devices
- 37 Monitors
- 95 Multimedia
- 173 Networking
- 91 Printers & Scanners
- 89 Storage
- 769 Linux Distributions
- 81 Debian
- 68 Fedora
- 22 Linux Mint
- 13 Mageia
- 24 openSUSE
- 150 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 356 Ubuntu
- 465 Linux System Administration
- 31 Cloud Computing
- 73 Command Line/Scripting
- Github systems admin projects
- 98 Linux Security
- 78 Network Management
- 101 System Management
- 46 Web Management
- 112 Mobile Computing
- 20 Android
- 77 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 393 Off Topic
- 121 Introductions
- 182 Small Talk
- 29 Study Material
- 977 Programming and Development
- 310 Kernel Development
- 649 Software Development
- 990 Software
- 382 Applications
- 182 Command Line
- 5 Compiling/Installing
- 68 Games
- 317 Installation
- Archived
- 2 LFD140 Class Forum
- 1.4K LFS258 Class Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)