Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-for-fluent-bit: provide realistic runAsNonRoot security context values #928

Open
joebowbeer opened this issue Mar 28, 2023 · 1 comment · May be fixed by #1168
Open

aws-for-fluent-bit: provide realistic runAsNonRoot security context values #928

joebowbeer opened this issue Mar 28, 2023 · 1 comment · May be fixed by #1168

Comments

@joebowbeer
Copy link
Contributor

joebowbeer commented Mar 28, 2023
edited
Loading

Provide realistic values for running fluent-bit as a non-root user:

I am not sure what securityContext Fluent Bit needs to run correctly.
Once this is change is in a think a separate PR could be used to determine
what a default standard policy should look like.

Originally posted by @razorsk8jz in #923 (comment)

The security context comments in values.yaml are not usable:

podSecurityContext: {}
# runAsUser: 1000
# runAsGroup: 1000
# runAsNonRoot: true
# seccompProfile:
#   type: RuntimeDefault
containerSecurityContext: {}
# allowPrivilegeEscalation: false
# capabilities: 
#   drop:
#   - ALL

Issues:

  1. The user and group ids do not exist in the aws-for-fluent-bit image. AFAICT the image is based on amazonlinux/scratch and does not define any non-root users.
  2. All the files in the image are owned by 0:0 (root) so runAsNonRoot probably won't suffice, at least not without some additional capabilities, such as FOWNER
  3. Typical deployments will enable storage.path (e.b., /var/fluent-bit/state/flb-storage/), which appears to need a hostPath

Related:

#719
This was referenced Mar 28, 2023
Open
Open
@joebowbeer joebowbeer changed the title aws-for-fluent-bit: provide realistic runAsNonRoot pod security policy values aws-for-fluent-bit: provide realistic runAsNonRoot security context values Mar 28, 2023
@razorsk8jz
Copy link
Contributor

razorsk8jz commented Mar 29, 2023
edited
Loading

Posted in fluent/helm-charts#330 as well, but i aws able to get aws-for-fluent-bit running with the following permissions

podSecurityContext:
  runAsUser: 0
  seccompProfile:
    type: RuntimeDefault
containerSecurityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  privileged: false
  capabilities:
    drop:
    - ALL

I'm working to get as close to the Pod Security Standards of Restricted which you can see here https://kubernetes.io/docs/concepts/security/pod-security-standards/

but the above policy still fails with

W0329 12:40:59.452300     127 warnings.go:70] would violate PodSecurity "restricted:latest": restricted volume types (volumes "varlog", "varlibdockercontainers" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "aws-for-fluent-bit" must set securityContext.runAsNonRoot=true), runAsUser=0 (pod must not set runAsUser=0)

@ashenwgt ashenwgt mentioned this issue Sep 7, 2023
Open
@bryantbiggs bryantbiggs linked a pull request Oct 3, 2024 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@joebowbeer @razorsk8jz