Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactoring of how we run as user #2825

Merged
merged 1 commit into from
Jul 22, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ IMAGE = $(REGISTRY)/$(IMGNAME)
MULTI_ARCH_IMG = $(IMAGE)-$(ARCH)

# Set default base image dynamically for each arch
BASEIMAGE?=quay.io/kubernetes-ingress-controller/nginx-$(ARCH):0.54
BASEIMAGE?=quay.io/kubernetes-ingress-controller/nginx-$(ARCH):0.55

ifeq ($(ARCH),arm)
QEMUARCH=arm
Expand Down
31 changes: 1 addition & 30 deletions rootfs/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -25,35 +25,6 @@ RUN clean-install \

COPY . /

# Create symlinks to redirect nginx logs to stdout and stderr docker log collector
# This only works if nginx is started with CMD or ENTRYPOINT
# Required because clean-install removes /var/log content
# We cannot chown /etc/nginx recursively because that adds 100MB to the image
RUN mkdir -p /var/log/nginx \
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log \
&& bash -eux -c ' \
writeDirs=( \
/etc/nginx/template \
/etc/ingress-controller/ssl \
/etc/ingress-controller/auth \
/var/log \
/var/log/nginx \
); \
for dir in "${writeDirs[@]}"; do \
mkdir -p ${dir}; \
chown -R www-data.www-data ${dir}; \
done \
' \
&& chown www-data.www-data /etc/nginx/nginx.conf \
&& chown www-data.www-data /etc/nginx/opentracing.json

RUN setcap cap_net_bind_service=+ep /nginx-ingress-controller \
&& setcap -v cap_net_bind_service=+ep /nginx-ingress-controller

USER www-data

ENTRYPOINT ["/usr/bin/dumb-init"]
ENTRYPOINT ["/entrypoint.sh"]

CMD ["/nginx-ingress-controller"]

57 changes: 57 additions & 0 deletions rootfs/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
#!/usr/bin/dumb-init /bin/bash

# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

set -e

mkdir -p /var/log/nginx
echo 0 > /tmp/nginx.pid
writeDirs=( \
/etc/nginx/template \
/etc/ingress-controller/ssl \
/etc/ingress-controller/auth \
/var/log \
/var/log/nginx \
/tmp \
);

for dir in "${writeDirs[@]}"; do
mkdir -p ${dir};
chown -R www-data.www-data ${dir};
done

ln -sf /dev/stdout /var/log/nginx/access.log
ln -sf /dev/stderr /var/log/nginx/error.log

chown www-data.www-data /var/log/nginx/*
chown www-data.www-data /etc/nginx/nginx.conf
chown www-data.www-data /etc/nginx/opentracing.json
chown www-data.www-data /etc/nginx

echo "Testing if setcap is supported..."
if test 'setcap cap_net_bind_service=+ep /usr/sbin/nginx'; then
echo "setcap is supported. Setting cap_net_bind_service=+ep to allow binding port lower than 1024 as non-root"
setcap cap_net_bind_service=+ep /usr/sbin/nginx
setcap -v cap_net_bind_service=+ep /usr/sbin/nginx
setcap cap_net_bind_service=+ep /nginx-ingress-controller
setcap -v cap_net_bind_service=+ep /nginx-ingress-controller

echo "Droping root privileges and running as user..."
su-exec www-data:www-data "$@"
else
echo "WARNING!!!: setcap is not supported. Running as root"
echo "Please check https://github.com/moby/moby/issues/1070"
"$@"
fi
8 changes: 0 additions & 8 deletions test/manifests/ingress-controller/mandatory.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -251,14 +251,6 @@ spec:
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
- --watch-namespace=${NAMESPACE}
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
# www-data -> 33
runAsUser: 33
env:
- name: POD_NAME
valueFrom:
Expand Down