Run mon container as ceph user

This PS is to address security best practices concerning running containers as a non-privileged user and disallowing privilege escalation. Change-Id: If4c0e9fe446091ba75d1a9818ffd3a0933285af4
2021-01-20 15:43:41 -05:00 · 2021-01-20 15:43:41 -05:00 · 75a115ea29
commit 75a115ea29
parent 6cf614d7a8
3 changed files with 4 additions and 3 deletions
--- a/ceph-mon/Chart.yaml
+++ b/ceph-mon/Chart.yaml
@ -15,6 +15,6 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Ceph Mon
 name: ceph-mon
-version: 0.1.2
+version: 0.1.3
 home: https://github.com/ceph/ceph
 ...
--- a/ceph-mon/templates/bin/mon/_start.sh.tpl
+++ b/ceph-mon/templates/bin/mon/_start.sh.tpl
@ -42,7 +42,7 @@ MON_DATA_DIR="/var/lib/ceph/mon/${CLUSTER}-${MON_NAME}"
 MONMAP="/etc/ceph/monmap-${CLUSTER}"

 # Make the monitor directory
-su -s /bin/sh -c "mkdir -p \"${MON_DATA_DIR}\"" ceph
+/bin/sh -c "mkdir -p \"${MON_DATA_DIR}\""

 function get_mon_config {
  # Get fsid from ceph.conf
--- a/ceph-mon/values.yaml
+++ b/ceph-mon/values.yaml
@ -56,8 +56,9 @@ pod:
          runAsUser: 0
          readOnlyRootFilesystem: true
        ceph_mon:
-          runAsUser: 0
+          runAsUser: 64045
          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
    moncheck:
      pod:
        runAsUser: 65534