Run as user dropping privileges
This commit is contained in:
Manuel de Brito Fontes
Manuel Alejandro de Brito Fontes
parent
f7359a6062
commit
79199dd84c
7 changed files with 34 additions and 18 deletions
|
|
@ -35,7 +35,7 @@ func NewLocalFS() (Filesystem, error) {
|
||||||
fs := filesystem.DefaultFs{}
|
fs := filesystem.DefaultFs{}
|
||||||
|
|
||||||
for _, directory := range directories {
|
for _, directory := range directories {
|
||||||
err := fs.MkdirAll(directory, 0655)
|
err := fs.MkdirAll(directory, 0777)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
@ -97,12 +97,5 @@ func NewFakeFS() (Filesystem, error) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fakeFs.MkdirAll("/run", 0655)
|
|
||||||
fakeFs.MkdirAll("/proc", 0655)
|
|
||||||
fakeFs.MkdirAll("/etc/nginx/template", 0655)
|
|
||||||
|
|
||||||
fakeFs.MkdirAll(DefaultSSLDirectory, 0655)
|
|
||||||
fakeFs.MkdirAll(AuthDirectory, 0655)
|
|
||||||
|
|
||||||
return fakeFs, nil
|
return fakeFs, nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -26,6 +26,8 @@ import (
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const nginxPID = "/tmp/nginx.pid"
|
||||||
|
|
||||||
// Name returns the healthcheck name
|
// Name returns the healthcheck name
|
||||||
func (n NGINXController) Name() string {
|
func (n NGINXController) Name() string {
|
||||||
return "nginx-ingress-controller"
|
return "nginx-ingress-controller"
|
||||||
|
|
@ -58,13 +60,13 @@ func (n *NGINXController) Check(_ *http.Request) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrap(err, "unexpected error reading /proc directory")
|
return errors.Wrap(err, "unexpected error reading /proc directory")
|
||||||
}
|
}
|
||||||
f, err := n.fileSystem.ReadFile("/run/nginx.pid")
|
f, err := n.fileSystem.ReadFile(nginxPID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrap(err, "unexpected error reading /run/nginx.pid")
|
return errors.Wrapf(err, "unexpected error reading %v", nginxPID)
|
||||||
}
|
}
|
||||||
pid, err := strconv.Atoi(strings.TrimRight(string(f), "\r\n"))
|
pid, err := strconv.Atoi(strings.TrimRight(string(f), "\r\n"))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrap(err, "unexpected error reading the PID from /run/nginx.pid")
|
return errors.Wrapf(err, "unexpected error reading the nginx PID from %v", nginxPID)
|
||||||
}
|
}
|
||||||
_, err = fs.NewProc(pid)
|
_, err = fs.NewProc(pid)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -60,8 +60,8 @@ func TestNginxCheck(t *testing.T) {
|
||||||
})
|
})
|
||||||
|
|
||||||
// create pid file
|
// create pid file
|
||||||
fs.MkdirAll("/run", 0655)
|
fs.MkdirAll("/tmp", 0655)
|
||||||
pidFile, err := fs.Create("/run/nginx.pid")
|
pidFile, err := fs.Create(nginxPID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unexpected error: %v", err)
|
t.Fatalf("unexpected error: %v", err)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -20,7 +20,8 @@ WORKDIR /etc/nginx
|
||||||
|
|
||||||
RUN clean-install \
|
RUN clean-install \
|
||||||
diffutils \
|
diffutils \
|
||||||
dumb-init
|
dumb-init \
|
||||||
|
libcap2-bin
|
||||||
|
|
||||||
# Create symlinks to redirect nginx logs to stdout and stderr docker log collector
|
# Create symlinks to redirect nginx logs to stdout and stderr docker log collector
|
||||||
# This only works if nginx is started with CMD or ENTRYPOINT
|
# This only works if nginx is started with CMD or ENTRYPOINT
|
||||||
|
|
@ -30,6 +31,14 @@ RUN mkdir -p /var/log/nginx \
|
||||||
|
|
||||||
COPY . /
|
COPY . /
|
||||||
|
|
||||||
|
RUN setcap cap_net_bind_service=+ep /usr/sbin/nginx \
|
||||||
|
&& setcap cap_net_bind_service=+ep /nginx-ingress-controller
|
||||||
|
|
||||||
|
RUN mkdir -p /etc/ingress-controller/ssl /etc/ingress-controller/auth \
|
||||||
|
&& chown -R www-data.www-data /etc/nginx /etc/ingress-controller
|
||||||
|
|
||||||
|
USER www-data
|
||||||
|
|
||||||
ENTRYPOINT ["/usr/bin/dumb-init"]
|
ENTRYPOINT ["/usr/bin/dumb-init"]
|
||||||
|
|
||||||
CMD ["/nginx-ingress-controller"]
|
CMD ["/nginx-ingress-controller"]
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
# A very simple nginx configuration file that forces nginx to start.
|
# A very simple nginx configuration file that forces nginx to start.
|
||||||
pid /run/nginx.pid;
|
pid /tmp/nginx.pid;
|
||||||
|
|
||||||
events {}
|
events {}
|
||||||
http {}
|
http {}
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,9 @@
|
||||||
{{ $proxyHeaders := .ProxySetHeaders }}
|
{{ $proxyHeaders := .ProxySetHeaders }}
|
||||||
{{ $addHeaders := .AddHeaders }}
|
{{ $addHeaders := .AddHeaders }}
|
||||||
|
|
||||||
|
# setup custom paths that do not require root access
|
||||||
|
pid /tmp/nginx.pid;
|
||||||
|
|
||||||
{{ if $cfg.EnableModsecurity }}
|
{{ if $cfg.EnableModsecurity }}
|
||||||
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
|
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
@ -20,7 +23,6 @@ worker_processes {{ $cfg.WorkerProcesses }};
|
||||||
worker_cpu_affinity {{ $cfg.WorkerCpuAffinity }};
|
worker_cpu_affinity {{ $cfg.WorkerCpuAffinity }};
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
pid /run/nginx.pid;
|
|
||||||
{{ if ne .MaxOpenFiles 0 }}
|
{{ if ne .MaxOpenFiles 0 }}
|
||||||
worker_rlimit_nofile {{ .MaxOpenFiles }};
|
worker_rlimit_nofile {{ .MaxOpenFiles }};
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
@ -115,6 +117,10 @@ http {
|
||||||
keepalive_timeout {{ $cfg.KeepAlive }}s;
|
keepalive_timeout {{ $cfg.KeepAlive }}s;
|
||||||
keepalive_requests {{ $cfg.KeepAliveRequests }};
|
keepalive_requests {{ $cfg.KeepAliveRequests }};
|
||||||
|
|
||||||
|
client_body_temp_path /tmp/client-body;
|
||||||
|
fastcgi_temp_path /tmp/fastcgi-temp;
|
||||||
|
proxy_temp_path /tmp/proxy-temp;
|
||||||
|
|
||||||
client_header_buffer_size {{ $cfg.ClientHeaderBufferSize }};
|
client_header_buffer_size {{ $cfg.ClientHeaderBufferSize }};
|
||||||
client_header_timeout {{ $cfg.ClientHeaderTimeout }}s;
|
client_header_timeout {{ $cfg.ClientHeaderTimeout }}s;
|
||||||
large_client_header_buffers {{ $cfg.LargeClientHeaderBuffers }};
|
large_client_header_buffers {{ $cfg.LargeClientHeaderBuffers }};
|
||||||
|
|
|
||||||
|
|
@ -251,6 +251,14 @@ spec:
|
||||||
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
|
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
|
||||||
- --annotations-prefix=nginx.ingress.kubernetes.io
|
- --annotations-prefix=nginx.ingress.kubernetes.io
|
||||||
- --watch-namespace=${NAMESPACE}
|
- --watch-namespace=${NAMESPACE}
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
add:
|
||||||
|
- NET_BIND_SERVICE
|
||||||
|
# www-data -> 33
|
||||||
|
runAsUser: 33
|
||||||
env:
|
env:
|
||||||
- name: POD_NAME
|
- name: POD_NAME
|
||||||
valueFrom:
|
valueFrom:
|
||||||
|
|
@ -284,5 +292,3 @@ spec:
|
||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
successThreshold: 1
|
successThreshold: 1
|
||||||
timeoutSeconds: 1
|
timeoutSeconds: 1
|
||||||
securityContext:
|
|
||||||
privileged: true
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue