SecuirtyContext: Checking Behaviour changes with different values for runAsUser runAsGroup fsGroup - q-uest/notes-doc-k8s-docker-jenkins-all-else GitHub Wiki
Observations:
-
Per documentation, a volume specified in a Pod should be owned by the group specified with the "fsGroup" field value (also, it will be a secondary/supplementary group) in general. This behaviour of "fsGroup" is different while using PVC's ( with NFS mount) from "Local" filesystems. The expected behaviour is seen only with the local filesystems as documented, not with the NFS volumes.
-
If the specified "hostPath" with the PV's manifest file does not exist on the host (NFS filesystem), the path/directory is created automatically when you will create the POD which is referencing the volume/directory after the creation of PV. The storageClass must be in place to make this happen. "root" will be the owner of the new path/directory in this case.
-
To effect the given "fsGroup" value, the CSI driver being used for the filesystem type should have
-
Creation of the hostpath is nothing to do with the securityContext parameters sepcified with a POD.
-
Check on "storageClass" in case of any issue with the PV is NOT getting created.
[NFS mount]
Nexus:-
container image used: sonatype/nexus3:3.38.0
securityContext:
runAsUser: 1000 (non-existing in container ]
runAsGroup: 200 (nexus in /etc/group)
fsGroup: 200 (nexus in /etc/group)
@host:-
Path: /nexus-data/nexus drwxrwxr-x 14 ubuntu ubuntu 4096 Mar 25 04:46 nexus
@container:-
Check the NFS mounted filesystem
############ $ ls -lrt /nexus-data/f2 -rw-r--r-- 1 1000 nexus 0 Mar 25 05:17 /nexus-data/f2
-
Without "runAsGroup"
securityContext: runAsUser: 1000 (non-existing user in the container OS) fsGroup: 200 (nexus @/etc/group)
@ container:
$ id uid=1000 gid=0(root) groups=0(root),200(nexus)
create a file & check owner/group
########## $ ls -ltr f3 -rw-r--r-- 1 1000 root 0 Mar 25 05:40 f3
The group is pointing to "root" only when runAsGroup is not used.
=====
Trying with ubuntu image with different securityContext parameters and Local/NFS filesystems:
Pod spec:
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
1)[ Local filesystem :emptryDir() ] Set runAsUser to a non-existing user in the container database:
security-context-demo:
securityContext: runAsUser: 1000 fsGroup: 100 (users @/etc/group)
@container:
$ id uid=1000 gid=0(root) groups=0(root),100(users) ls -l /data total 4 drwxrwsrwx 2 root users 4096 Mar 25 05:25 demo
$ ls -ltr total 0 -rw-r--r-- 1 1000 users 0 Mar 25 05:39 f1
===
with NFS mounts
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsUser: 1000
fsGroup: 100
volumes:
- name: testvol
persistentVolumeClaim:
claimName: test-pvc
containers:
- name: sec-ctx-demo
image: ubuntu:latest
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: testvol
mountPath: /ram
i) Params used: runAsUser: 1000 (non-existent user@container)/ runAsGroup: 3000 (non-existent group@container) / fsGroup: 2000 (non-existent group@container)
Commands executed in sequence: "id" / "ls -l /" / "cd: /ram" :
uid=1000 gid=3000 groups=3000,2000
drwxrwx--- 2 root root 4096 Mar 25 12:27 ram
bash: cd: /ram: Permission denied
ii) Params used: runAsUser: 1000 (non-existent user@container) / runAsGroup: 3000 (non-existent group@container) / fsGroup: 2000 (non-existent group@container)
Scenario 1) The Host OS directory in the PV does NOT exist (It has been deleted "/nexus-data/test" for this testing purpose)
@host:
The "test" directory is created automatically with the below permissions as "root".
ls -l /nexus-data/|grep test
drwxr-xr-x 2 root root 4096 Mar 26 11:12 test
@container:-
"id" / "ls -l /|grep ram" / "touch /ram/f1"
uid=1000 gid=3000 groups=3000,2000
drwxr-xr-x 2 root root 4096 Mar 26 11:12 ram
touch: cannot touch '/ram/f1': Permission denied
- Params:- runAsUser: 1 (daemon) / fsGroup: 100 (users @/etc/group)
Scenario 1) The Host OS directory in the PV does NOT exist (It has been deleted "/nexus-data/test" for this testing purpose)
@host:
ls -l /nexus-data/|grep test
drwxr-xr-x 2 root root 4096 Mar 26 11:45 test
@container:-
Commands executed in sequence: "id" / "ls -l /|grep ram" / "touch /ram/f1" :
uid=1(daemon) gid=1(daemon) groups=1(daemon),100(users)
drwxr-xr-x 2 root root 4096 Mar 26 11:45 ram
touch: cannot touch '/ram/f1': Permission denied
Scenario 2: Create "test" direcroty under "/nexus-data".
@ host:
ls -l /nexus-data/
drwxrwxr-x 2 ubuntu ubuntu 4096 Mar 26 06:28 test
@ container:
"id" / "ls -l / |grep ram" / "cd /ram;touch f1"
uid=1(daemon) gid=1(daemon) groups=1(daemon),100(users)
drwxrwxr-x 2 1000 1000 4096 Mar 26 06:28 ram
touch: cannot touch 'f1': Permission denied
Scenario 3: Grant ALL permissions to "others" too on "/nexus-data/test".
```
chmod 777 /nexus-data/test
```
@container:
Executing "id"/ "ls -l /|grep ram" / "touch /ram/f2" / "ls -l /ram/f2":
```
uid=1(daemon) gid=1(daemon) groups=1(daemon),100(users)
drwxrwxrwx 2 1000 1000 4096 Mar 26 07:00 ram
-rw-r--r-- 1 daemon daemon 0 Mar 26 07:00 /ram/f2
```
===
-
Change permissions @host-path (host os level) to 700
runAsUser: 1 (daemon) / fsGroup: 100 (users @/etc/group)
@ host:
$chmod 700 /nexus-data/test
$ls -l /nexus-data|grep test drwx------ 2 root root 4096 Mar 26 11:45 test
@ container:
Commands: "id" / "ls -l / |grep ram" / "touch /ram/f1"
uid=1(daemon) gid=1(daemon) groups=1(daemon),100(users)
drwxr-xr-x 2 root root 4096 Mar 26 11:45 ram
touch: cannot touch '/ram/f1': Permission denied
====
- runAsUser: 0 (root@user@container) , fsGroup: 100 (users@group@container):
@ host level:
$ ls -l / drwx------ 3 ubuntu ubuntu 4096 Mar 25 11:31 nexus-data
$ ls -ltr /nexus-data/test
drwxr-xr-x 2 root root 4096 Mar 25 11:40 test
@container:
id
uid=0(root) gid=0(root) groups=0(root),100(users)
drwxr-xr-x 2 root root 4096 Mar 25 11:40 ram
ls -l /ram
total 0 -rw-r--r-- 1 root root 0 Mar 25 11:40 f1
=====