Run livenessprobe as nonroot #192

prankulmahajan · 2024-08-27T11:24:15Z

This PR aims to do the following,

In deployment set runAsGroup for all containers in nodeServer and controller. Currently, though the users are non-root, the group is still being used as root.
In deployment run livenessprobe sidecar as non-root user/group.

To achieve the 2nd point, had to change file permissions of CSI socket created by node server.

Default permissions of csi socket inside node server -- (User 0, Group 0, Permissions 755) -- Only the root user has permissions to access the socket
The socket file should have read and write permissions for access. i.e min access required is 600/660 depending on who is accessing the socket file

This PR changes the group of the csi socket from root to non-root(set 2121 in deployment configMap) and update permissions to 660. Setting "660" allows the root user and the non-root group to access the socket as expected.

coveralls · 2024-08-27T11:31:56Z

coverage: 80.011% (-2.4%) from 82.395%
when pulling 3213213 on prankulmahajan:csi_socket_permissions
into 9068a97 on kubernetes-sigs:master.

prankulmahajan · 2024-08-28T07:54:01Z

Test Results (edit: after rebasing)

Setup -- Kubernetes

❯ kubectl get nodes
NAME          STATUS   ROLES    AGE   VERSION
10.240.0.85   Ready    <none>   9d    v1.30.4+IKS
10.240.0.86   Ready    <none>   9d    v1.30.4+IKS

Resource status

❯ kubectl get pods -n kube-system -o wide | grep block
ibm-vpc-block-csi-controller-677b9855fd-k7gsh         7/7     Running   0             6m2s    172.17.109.29    10.240.0.85   <none>           <none>
ibm-vpc-block-csi-node-k66kw                          4/4     Running   0             6m2s    172.17.112.182   10.240.0.86   <none>           <none>
ibm-vpc-block-csi-node-vldsv                          4/4     Running   0             6m2s    172.17.109.28    10.240.0.85   <none>           <none>

Check if csi socket is retained after resource deletion -- socket got deleted

❯ runon 10.240.0.85 command bash
groups: cannot find name for group ID 11
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@test-cr624av200pnjn76o2i0-iks130-default-0000018a:/#
root@test-cr624av200pnjn76o2i0-iks130-default-0000018a:/# cd /var/lib/kubelet/plugins
root@test-cr624av200pnjn76o2i0-iks130-default-0000018a:/var/lib/kubelet/plugins# ls
kubernetes.io  vpc.block.csi.ibm.io  vpc.file.csi.ibm.io
root@test-cr624av200pnjn76o2i0-iks130-default-0000018a:/var/lib/kubelet/plugins# cd vpc.block.csi.ibm.io/
root@test-cr624av200pnjn76o2i0-iks130-default-0000018a:/var/lib/kubelet/plugins/vpc.block.csi.ibm.io# ls
root@test-cr624av200pnjn76o2i0-iks130-default-0000018a:/var/lib/kubelet/plugins/vpc.block.csi.ibm.io# ls -la
total 8
drwxr-xr-x 2 root root 4096 Sep  4 12:16 .
drwxr-x--- 5 root root 4096 Aug 26 14:40 ..
root@test-cr624av200pnjn76o2i0-iks130-default-0000018a:/var/lib/kubelet/plugins/vpc.block.csi.ibm.io# exit
exit

Apply resources using custom image and check status + Exec into node and check csi socket permissions

❯ kubectl get pods -n kube-system -o wide | grep block
ibm-vpc-block-csi-controller-677b9855fd-7tcqd         7/7     Running   0             30s     172.17.109.31    10.240.0.85   <none>           <none>
ibm-vpc-block-csi-node-66mm9                          4/4     Running   0             31s     172.17.112.183   10.240.0.86   <none>           <none>
ibm-vpc-block-csi-node-jvtmq                          4/4     Running   0             31s     172.17.109.30    10.240.0.85   <none>           <none>


❯ runon 10.240.0.85 command bash
groups: cannot find name for group ID 11
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@test-cr624av200pnjn76o2i0-iks130-default-0000018a:/# cd /var/lib/kubelet/plugins
root@test-cr624av200pnjn76o2i0-iks130-default-0000018a:/var/lib/kubelet/plugins# cd vpc.block.csi.ibm.io/
root@test-cr624av200pnjn76o2i0-iks130-default-0000018a:/var/lib/kubelet/plugins/vpc.block.csi.ibm.io# ls -la
total 8
drwxr-xr-x 2 root root 4096 Sep  4 12:18 .
drwxr-x--- 5 root root 4096 Aug 26 14:40 ..
srw-rw---- 1 root 2121    0 Sep  4 12:18 csi.sock
root@test-cr624av200pnjn76o2i0-iks130-default-0000018a:/var/lib/kubelet/plugins/vpc.block.csi.ibm.io#

Create PVC and attach it to a pod

❯ kubectl get pvc
NAME            STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS                VOLUMEATTRIBUTESCLASS   AGE
csi-block-pvc   Bound    pvc-8a6de5ca-9750-49ff-ab8a-8272468a48f1   10Gi       RWO            ibmc-vpc-block-5iops-tier   <unset>                 22h
my-pvc-block    Bound    pvc-2a03522d-51a0-4da2-8605-ca2fe4136a7b   10Gi       RWO            ibmc-vpc-block-5iops-tier   <unset>                 21s

❯ kubectl get pods -o wide | grep my-app
my-app-block-69956b9d94-nqvpq        1/1     Running   0          40s    172.17.109.32   10.240.0.85   <none>           <none>

❯ kubectl exec my-app-block-69956b9d94-nqvpq -it -- bash
bash-5.1# df -h
Filesystem                Size      Used Available Use% Mounted on
overlay                  97.3G     11.5G     81.6G  12% /
tmpfs                    64.0M         0     64.0M   0% /dev
tmpfs                     7.7G         0      7.7G   0% /sys/fs/cgroup
/dev/vde                  9.7G     24.0K      9.7G   0% /myvolblock
/dev/vda2                97.3G     11.5G     81.6G  12% /etc/hosts
/dev/vda2                97.3G     11.5G     81.6G  12% /dev/termination-log
/dev/vda2                97.3G     11.5G     81.6G  12% /etc/hostname
/dev/vda2                97.3G     11.5G     81.6G  12% /etc/resolv.conf
shm                      64.0M         0     64.0M   0% /dev/shm
tmpfs                    12.8G     16.0K     12.8G   0% /run/secrets/kubernetes.io/serviceaccount
tmpfs                     7.7G         0      7.7G   0% /proc/acpi
tmpfs                    64.0M         0     64.0M   0% /proc/kcore
tmpfs                    64.0M         0     64.0M   0% /proc/keys
tmpfs                    64.0M         0     64.0M   0% /proc/timer_list
tmpfs                    64.0M         0     64.0M   0% /proc/sched_debug
tmpfs                     7.7G         0      7.7G   0% /proc/scsi
tmpfs                     7.7G         0      7.7G   0% /sys/firmware
bash-5.1# cd myvolblock/
bash-5.1# touch test
bash-5.1# ls
lost+found  test
bash-5.1# exit
exit

Expansion

❯ kubectl edit pvc my-pvc-block
persistentvolumeclaim/my-pvc-block edited

❯ kubectl get pvc -w
NAME            STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS                VOLUMEATTRIBUTESCLASS   AGE
csi-block-pvc   Bound    pvc-8a6de5ca-9750-49ff-ab8a-8272468a48f1   10Gi       RWO            ibmc-vpc-block-5iops-tier   <unset>                 22h
my-pvc-block    Bound    pvc-2a03522d-51a0-4da2-8605-ca2fe4136a7b   20Gi       RWO            ibmc-vpc-block-5iops-tier   <unset>                 4m1s

Detach and delete PVC

❯ kubectl delete -f dep.yaml
deployment.apps "my-app-block" deleted
❯
❯
❯
❯ kubectl delete -f pvc.yaml
persistentvolumeclaim "my-pvc-block" deleted
❯
❯ kubectl get pods -o wide | grep my-app
❯
❯ kubectl get pvc
NAME            STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS                VOLUMEATTRIBUTESCLASS   AGE
csi-block-pvc   Bound    pvc-8a6de5ca-9750-49ff-ab8a-8272468a48f1   10Gi       RWO            ibmc-vpc-block-5iops-tier   <unset>                 22h

Delete csi resources

❯ kubectl get pods -n kube-system -o wide | grep block
❯

sameshai

/lgtm

prankulmahajan · 2024-09-05T07:48:04Z

Environments to test:

Kubernetes service with Ubuntu 20 OS
Kubernetes service with Ubuntu 24 OS
Openshift with RHEL 8.10 OS
Openshift with RHEL 9.4 OS -- Unable to create cluster
Openshift with Coreos

Test cases:

New install
- Resource status
- PVC creation + Attachment + r/w
- Expansion
- Detachment + PVC deletion
Patch install
- Resource should be ready with existing PVC and attachment healthy
- Create new attachement
- Detachment + PVC deletion

arahamad

please change the copyright, other things looks good

can you also come up with release note with this changes

pkg/ibmcsidriver/fileOps_test.go

arahamad

/lgtm

please verify changes also

k8s-ci-robot · 2024-09-06T05:23:49Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: arahamad, prankulmahajan, sameshai

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [arahamad]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Aug 27, 2024

k8s-ci-robot requested review from ambiknai and bradtopol August 27, 2024 11:24

k8s-ci-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Aug 27, 2024

k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 4, 2024

Run livenessprobe as nonroot

cbda619

prankulmahajan force-pushed the csi_socket_permissions branch from 9893192 to cbda619 Compare September 4, 2024 11:19

k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Sep 4, 2024

sameshai approved these changes Sep 4, 2024

View reviewed changes

k8s-ci-robot assigned sameshai Sep 4, 2024

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 4, 2024

arahamad requested changes Sep 5, 2024

View reviewed changes

pkg/ibmcsidriver/fileOps_test.go Outdated Show resolved Hide resolved

updated copyright

3213213

k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 5, 2024

arahamad approved these changes Sep 6, 2024

View reviewed changes

k8s-ci-robot assigned arahamad Sep 6, 2024

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 6, 2024

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 6, 2024

k8s-ci-robot merged commit 088d0a7 into kubernetes-sigs:master Sep 6, 2024
6 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Run livenessprobe as nonroot #192

Run livenessprobe as nonroot #192

prankulmahajan commented Aug 27, 2024 •

edited

Loading

coveralls commented Aug 27, 2024 •

edited

Loading

prankulmahajan commented Aug 28, 2024 •

edited

Loading

sameshai left a comment

prankulmahajan commented Sep 5, 2024 •

edited

Loading

arahamad left a comment

arahamad left a comment

k8s-ci-robot commented Sep 6, 2024

Run livenessprobe as nonroot #192

Run livenessprobe as nonroot #192

Conversation

prankulmahajan commented Aug 27, 2024 • edited Loading

coveralls commented Aug 27, 2024 • edited Loading

prankulmahajan commented Aug 28, 2024 • edited Loading

Test Results (edit: after rebasing)

sameshai left a comment

Choose a reason for hiding this comment

prankulmahajan commented Sep 5, 2024 • edited Loading

Environments to test:

Test cases:

arahamad left a comment

Choose a reason for hiding this comment

arahamad left a comment

Choose a reason for hiding this comment

k8s-ci-robot commented Sep 6, 2024

prankulmahajan commented Aug 27, 2024 •

edited

Loading

coveralls commented Aug 27, 2024 •

edited

Loading

prankulmahajan commented Aug 28, 2024 •

edited

Loading

prankulmahajan commented Sep 5, 2024 •

edited

Loading