Welcome to the Linux Foundation Forum!

Not sure about Exercise 6.6, security review

marco.ferretti
marco.ferretti Posts: 14
edited January 17 in LFD259 Class Forum

Hi,
I am not 100% sure I nailed the exercise in the topic.
In order to make nginx run I had to add a fsGroup: 101 so that the pod mounted the volumes with the correct user/group permissions (mounted volumes in order to overcome the permission denied issues I had with /var/cache/nginx and /var/run)
Also, it seems that using capabilities when the pod is not running as root won't work (https://github.com/kubernetes/kubernetes/issues/56374) so I used the suggested sysctls (https://github.com/kubernetes/kubernetes/issues/56374#issuecomment-928917495). What I am not sure about is the fact that I had to modify the pod securityContext rather than the container securityContext and that the course does not mention sysctls in the Lab 6.6.

here's my solution:

apiVersion: v1
kind: Pod
metadata:
  name: securityreview
spec:
  securityContext:
    runAsUser: 101
    fsGroup: 101  ##need this in order to mount volumes with correct permission
    sysctls:   ## this was found in in issue 56374: https://github.com/kubernetes/kubernetes/issues/56374#issuecomment-928917495
    - name: net.ipv4.ip_unprivileged_port_start
      value: "78" #pick a port number less than 80 and it will work
  containers:
  - name:  webguy
    image: nginx
    securityContext:
      runAsUser: 101
      allowPrivilegeEscalation: false
# this is not working because when going from UID 0 to UID <> 0 the capabilities are removed        
#      capabilities:
#        add: ["NET_ADMIN","NET_BIND_SERVICE"]

    volumeMounts:
    - name: nginx-temp
      mountPath: /var/cache/nginx
    - name: run-temp
      mountPath: /var/run

  volumes:
  - name: nginx-temp
    emptyDir: {}
  - name: run-temp
    emptyDir: {}

Is this a correct answer or am I missing something ?

Categories

Upcoming Training