SecuirtyContext: Checking Behaviour changes with different values for runAsUser runAsGroup fsGroup - q-uest/notes-doc-k8s-docker-jenkins-all-else GitHub Wiki

Observations:

  • Per documentation, a volume specified in a Pod should be owned by the group specified with the "fsGroup" field value (also, it will be a secondary/supplementary group) in general. This behaviour of "fsGroup" is different while using PVC's ( with NFS mount) from "Local" filesystems. The expected behaviour is seen only with the local filesystems as documented, not with the NFS volumes.

  • If the specified "hostPath" with the PV's manifest file does not exist on the host (NFS filesystem), the path/directory is created automatically when you will create the POD which is referencing the volume/directory after the creation of PV. The storageClass must be in place to make this happen. "root" will be the owner of the new path/directory in this case.

  • To effect the given "fsGroup" value, the CSI driver being used for the filesystem type should have

  • Creation of the hostpath is nothing to do with the securityContext parameters sepcified with a POD.

  • Check on "storageClass" in case of any issue with the PV is NOT getting created.

[NFS mount]

Nexus:-

container image used: sonatype/nexus3:3.38.0

  securityContext:
    runAsUser: 1000 (non-existing in container ]
    runAsGroup: 200 (nexus in /etc/group)
    fsGroup: 200    (nexus in /etc/group)

@host:-

Path: /nexus-data/nexus drwxrwxr-x 14 ubuntu ubuntu 4096 Mar 25 04:46 nexus

@container:-

Check the NFS mounted filesystem

############ $ ls -lrt /nexus-data/f2 -rw-r--r-- 1 1000 nexus 0 Mar 25 05:17 /nexus-data/f2

  1. Without "runAsGroup"

    securityContext: runAsUser: 1000 (non-existing user in the container OS) fsGroup: 200 (nexus @/etc/group)

@ container:

$ id uid=1000 gid=0(root) groups=0(root),200(nexus)

create a file & check owner/group

########## $ ls -ltr f3 -rw-r--r-- 1 1000 root 0 Mar 25 05:40 f3

The group is pointing to "root" only when runAsGroup is not used.

=====

Trying with ubuntu image with different securityContext parameters and Local/NFS filesystems:

Pod spec:

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: busybox
    command: [ "sh", "-c", "sleep 1h" ]
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: false

1)[ Local filesystem :emptryDir() ] Set runAsUser to a non-existing user in the container database:

security-context-demo:

securityContext: runAsUser: 1000 fsGroup: 100 (users @/etc/group)

@container:

$ id uid=1000 gid=0(root) groups=0(root),100(users) ls -l /data total 4 drwxrwsrwx 2 root users 4096 Mar 25 05:25 demo

$ ls -ltr total 0 -rw-r--r-- 1 1000 users 0 Mar 25 05:39 f1

===

with NFS mounts

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    fsGroup: 100
  volumes:
    - name: testvol
      persistentVolumeClaim:
        claimName: test-pvc
  containers:
  - name: sec-ctx-demo
    image: ubuntu:latest
    command: [ "sh", "-c", "sleep 1h" ]
    volumeMounts:
    - name: testvol
      mountPath: /ram

i) Params used: runAsUser: 1000 (non-existent user@container)/ runAsGroup: 3000 (non-existent group@container) / fsGroup: 2000 (non-existent group@container)

Commands executed in sequence: "id" / "ls -l /" / "cd: /ram" :

uid=1000 gid=3000 groups=3000,2000

drwxrwx---   2 root root 4096 Mar 25 12:27 ram

bash: cd: /ram: Permission denied

ii) Params used: runAsUser: 1000 (non-existent user@container) / runAsGroup: 3000 (non-existent group@container) / fsGroup: 2000 (non-existent group@container)

Scenario 1) The Host OS directory in the PV does NOT exist (It has been deleted "/nexus-data/test" for this testing purpose)

@host:

The "test" directory is created automatically with the below permissions as "root".

ls -l /nexus-data/|grep test
drwxr-xr-x  2 root   root    4096 Mar 26 11:12 test

@container:-

"id" / "ls -l /|grep ram" / "touch /ram/f1"

uid=1000 gid=3000 groups=3000,2000

drwxr-xr-x   2 root root 4096 Mar 26 11:12 ram

touch: cannot touch '/ram/f1': Permission denied
  1. Params:- runAsUser: 1 (daemon) / fsGroup: 100 (users @/etc/group)

Scenario 1) The Host OS directory in the PV does NOT exist (It has been deleted "/nexus-data/test" for this testing purpose)

@host:

ls -l /nexus-data/|grep test
drwxr-xr-x  2 root   root    4096 Mar 26 11:45 test

@container:-

Commands executed in sequence: "id" / "ls -l /|grep ram" / "touch /ram/f1" :

uid=1(daemon) gid=1(daemon) groups=1(daemon),100(users)

drwxr-xr-x   2 root root 4096 Mar 26 11:45 ram

touch: cannot touch '/ram/f1': Permission denied

Scenario 2: Create "test" direcroty under "/nexus-data".

@ host:

ls -l /nexus-data/
drwxrwxr-x  2 ubuntu ubuntu 4096 Mar 26 06:28 test

@ container:

"id" / "ls -l / |grep ram" / "cd /ram;touch f1"

uid=1(daemon) gid=1(daemon) groups=1(daemon),100(users)

drwxrwxr-x   2 1000 1000 4096 Mar 26 06:28 ram

touch: cannot touch 'f1': Permission denied

Scenario 3: Grant ALL permissions to "others" too on "/nexus-data/test".

    ```          
    chmod 777 /nexus-data/test
    ```

   @container:
   Executing "id"/ "ls -l /|grep ram" / "touch /ram/f2" / "ls -l /ram/f2":

   ```
   uid=1(daemon) gid=1(daemon) groups=1(daemon),100(users)

   drwxrwxrwx   2 1000 1000 4096 Mar 26 07:00 ram

   -rw-r--r-- 1 daemon daemon 0 Mar 26 07:00 /ram/f2
   
   ```

===

  1. Change permissions @host-path (host os level) to 700

    runAsUser: 1 (daemon) / fsGroup: 100 (users @/etc/group)

@ host:

$chmod 700 /nexus-data/test

$ls -l /nexus-data|grep test drwx------ 2 root root 4096 Mar 26 11:45 test

@ container:

Commands: "id" / "ls -l / |grep ram" / "touch /ram/f1"

uid=1(daemon) gid=1(daemon) groups=1(daemon),100(users)

drwxr-xr-x   2 root root 4096 Mar 26 11:45 ram

touch: cannot touch '/ram/f1': Permission denied

====

  1. runAsUser: 0 (root@user@container) , fsGroup: 100 (users@group@container):

@ host level:

$ ls -l / drwx------ 3 ubuntu ubuntu 4096 Mar 25 11:31 nexus-data

$ ls -ltr /nexus-data/test

drwxr-xr-x 2 root root 4096 Mar 25 11:40 test

@container:

id

uid=0(root) gid=0(root) groups=0(root),100(users)

drwxr-xr-x 2 root root 4096 Mar 25 11:40 ram

ls -l /ram

total 0 -rw-r--r-- 1 root root 0 Mar 25 11:40 f1

=====