From b55143dec25d31efa2d3630c10c7512cc9591153 Mon Sep 17 00:00:00 2001 From: "Parsons, Cliff (cp769u)" Date: Thu, 29 Jul 2021 20:21:17 +0000 Subject: [PATCH] Limit Ceph OSD Container Security Contexts Wherever possible, the ceph-osd containers need to run with the least amount of privilege required. In some cases there are privileges granted but are not needed. This patchset modifies those container's security contexts to reduce them to only what is needed. Change-Id: I0d6633efae7452fee4ce98d3e7088a55123f0a78 --- ceph-osd/Chart.yaml | 2 +- ceph-osd/values.yaml | 5 ++++- releasenotes/notes/ceph-osd.yaml | 1 + 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ceph-osd/Chart.yaml b/ceph-osd/Chart.yaml index 4525dd12b..51bdb0e3e 100644 --- a/ceph-osd/Chart.yaml +++ b/ceph-osd/Chart.yaml @@ -15,6 +15,6 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Ceph OSD name: ceph-osd -version: 0.1.26 +version: 0.1.27 home: https://github.com/ceph/ceph ... diff --git a/ceph-osd/values.yaml b/ceph-osd/values.yaml index f569376d3..7277a73c1 100644 --- a/ceph-osd/values.yaml +++ b/ceph-osd/values.yaml @@ -56,9 +56,11 @@ pod: container: ceph_init_dirs: runAsUser: 0 + allowPrivilegeEscalation: false readOnlyRootFilesystem: true ceph_log_ownership: runAsUser: 0 + allowPrivilegeEscalation: false readOnlyRootFilesystem: true osd_init: runAsUser: 0 @@ -69,7 +71,8 @@ pod: privileged: true readOnlyRootFilesystem: true log_runner: - runAsUser: 0 + runAsUser: 65534 + allowPrivilegeEscalation: false readOnlyRootFilesystem: true bootstrap: pod: diff --git a/releasenotes/notes/ceph-osd.yaml b/releasenotes/notes/ceph-osd.yaml index c2e4b0cc3..cdda2c0d8 100644 --- a/releasenotes/notes/ceph-osd.yaml +++ b/releasenotes/notes/ceph-osd.yaml @@ -27,4 +27,5 @@ ceph-osd: - 0.1.24 Ceph OSD Init Improvements - 0.1.25 Export crash dumps when Ceph daemons crash - 0.1.26 Mount /var/crash inside ceph-osd pods + - 0.1.27 Limit Ceph OSD Container Security Contexts ...