Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: [Jsonnet] Statefulsets have SecurityContext.runAsUser(0) set #10338

Open
EoinFarrell opened this issue Jan 3, 2025 · 3 comments · May be fixed by #10339
Open

Bug: [Jsonnet] Statefulsets have SecurityContext.runAsUser(0) set #10338

EoinFarrell opened this issue Jan 3, 2025 · 3 comments · May be fixed by #10339
Labels
bug Something isn't working jsonnet

Comments

@EoinFarrell
Copy link

What is the bug?

Hi Grafana Labs Team,

The jsonnet configuration for Mimir Statefulsets configures the containers to run as the root user, link to code.

The Grafana Mimir documentation states:

Grafana Mimir does not require any special permissions on the hosts that it runs on. Because of this, you can deploy it in environments that enforce the Kubernetes Restricted security policy.

But setting containers to run as root is against the Kubernetes Restricted security policy, exert:

Running as Non-root user (v1.23+)

Containers must not set runAsUser to 0

Restricted Fields

spec.securityContext.runAsUser
spec.containers[].securityContext.runAsUser
spec.initContainers[
].securityContext.runAsUser
spec.ephemeralContainers[*].securityContext.runAsUser

Allowed Values

any non-zero value
undefined/null

The Flusher job also has this configured, link to code.

From looking at the git history it looks like this piece of code has been in place since this repo was started, so if it is not required, I would guess it was originally put in place to allow Cortex to bind to port 80 (restricted port, which can block non root users from binding to it), as Cortex defaulted to port 80, unlike Mimir which defaults to port 8080, see migrating-from-cortex.md.

For reference, it does not look like the default Helm chart values have this issue (runAsUser: 10001 is set in some places which is not a security concern). Though I did find a similar issue raised previously related to the Helm charts: #5758.

How to reproduce it?

n/a

What did you think would happen?

Run as root should not be set

What was your environment?

Kubernetes jsonnet

Any additional context to share?

No response

@EoinFarrell EoinFarrell added the bug Something isn't working label Jan 3, 2025
@EoinFarrell EoinFarrell linked a pull request Jan 3, 2025 that will close this issue
4 tasks
@EoinFarrell
Copy link
Author

I've opened a draft PR to remove the config, if its agreed it can be removed: #10339

@narqo narqo added the jsonnet label Jan 7, 2025
@narqo
Copy link
Contributor

narqo commented Jan 7, 2025

Thank you for the detailed investigation of the issue, and for the PR. We were discussing it internally and the only concern/question that popped up was about changing existing stateful sets:

That is, could removing the runAsUser: 0 from an existing STS — e.g. the ingesters — cause any issues, where a new rollout, with the security context removed, couldn't read/write the data in the attached PVC, created by the previous version, under the root? From a quick test in one of the environments, this didn't seem to be the case. The rollout worked just fine. But given how critical the ingesters' data is for both read- and write-path, we want to be extra cautious about this change (or at least have a migration plan for the production systems).

@EoinFarrell
Copy link
Author

Thanks for discussing the issue internally @narqo and agreed that ensuring the change is safe is the most important thing. For now I'll look at making this change internally to some of our systems as a way to verify the change as an additional data point to your own internal testing in Grafana.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working jsonnet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants