Welcome to the Linux Foundation Forum!

Not sure about Exercise 6.6, security review

marco.ferretti
marco.ferretti Posts: 15
edited January 17 in LFD259 Class Forum

Hi,
I am not 100% sure I nailed the exercise in the topic.
In order to make nginx run I had to add a fsGroup: 101 so that the pod mounted the volumes with the correct user/group permissions (mounted volumes in order to overcome the permission denied issues I had with /var/cache/nginx and /var/run)
Also, it seems that using capabilities when the pod is not running as root won't work (https://github.com/kubernetes/kubernetes/issues/56374) so I used the suggested sysctls (https://github.com/kubernetes/kubernetes/issues/56374#issuecomment-928917495). What I am not sure about is the fact that I had to modify the pod securityContext rather than the container securityContext and that the course does not mention sysctls in the Lab 6.6.

here's my solution:

apiVersion: v1
kind: Pod
metadata:
  name: securityreview
spec:
  securityContext:
    runAsUser: 101
    fsGroup: 101  ##need this in order to mount volumes with correct permission
    sysctls:   ## this was found in in issue 56374: https://github.com/kubernetes/kubernetes/issues/56374#issuecomment-928917495
    - name: net.ipv4.ip_unprivileged_port_start
      value: "78" #pick a port number less than 80 and it will work
  containers:
  - name:  webguy
    image: nginx
    securityContext:
      runAsUser: 101
      allowPrivilegeEscalation: false
# this is not working because when going from UID 0 to UID <> 0 the capabilities are removed        
#      capabilities:
#        add: ["NET_ADMIN","NET_BIND_SERVICE"]

    volumeMounts:
    - name: nginx-temp
      mountPath: /var/cache/nginx
    - name: run-temp
      mountPath: /var/run

  volumes:
  - name: nginx-temp
    emptyDir: {}
  - name: run-temp
    emptyDir: {}

Is this a correct answer or am I missing something ?

Answers

  • giuliengi87
    giuliengi87 Posts: 8

    Yes this indeed works i tried and it worked for me too. But why do we have to use the fsGroup and sysctls which are not even explained in the labs and also why we have to use volumes and volumemounts?

Categories

Upcoming Training