Merge pull request #691 from grafana/chaudum/run-as-non-root

[enterprise-logs] Run GEL as non-root user `enterprise-logs`
grafana · Sep 22, 2021 · d22134d · d22134d
2 parents df6c754 + a736998
commit d22134d
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 15 deletions.
diff --git a/charts/enterprise-logs/CHANGELOG.md b/charts/enterprise-logs/CHANGELOG.md
@@ -11,6 +11,10 @@ Entries should be ordered as follows:
 
 Entries should include a reference to the pull request that introduced the change.
 
+## 1.1.1
+
+- [BUGFIX] Ensure that Pods run as non-root user `enterprise-logs` (`uid=10001,gid=10001`). #690
+
 ## 1.1.0
 
 * [CHANGE] Updated `loki-distributed` chart dependency to `^0.37.3`. #684

diff --git a/charts/enterprise-logs/Chart.yaml b/charts/enterprise-logs/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: "v2"
 name: "enterprise-logs"
 type: application
-version: "1.1.0"
+version: "1.1.1"
 appVersion: "v1.1.0"
 kubeVersion: "^1.10.0-0"
 description: "Grafana Enterprise Logs"

diff --git a/charts/enterprise-logs/templates/admin-api/deployment-admin-api.yaml b/charts/enterprise-logs/templates/admin-api/deployment-admin-api.yaml
@@ -42,8 +42,10 @@ spec:
       priorityClassName: {{ .Values.adminApi.priorityClassName }}
       {{- end }}
       securityContext:
-        {{- toYaml .Values.adminApi.securityContext | nindent 8 }}
+        fsGroup: 10001
       initContainers:
+      # Taken from
+      # https://github.com/minio/charts/blob/a5c84bcbad884728bff5c9c23541f936d57a13b3/minio/templates/post-install-create-bucket-job.yaml
       {{- if .Values.minio.enabled }}
         - name: minio-mc
           image: "{{ .Values.minio.mcImage.repository }}:{{ .Values.minio.mcImage.tag }}"
@@ -115,6 +117,7 @@ spec:
             {{- toYaml .Values.adminApi.resources | nindent 12 }}
           securityContext:
             readOnlyRootFilesystem: true
+            {{- toYaml .Values.adminApi.securityContext | nindent 12 }}
           env:
             {{- if .Values.adminApi.env }}
             {{ toYaml .Values.adminApi.env | nindent 12 }}

diff --git a/charts/enterprise-logs/values.yaml b/charts/enterprise-logs/values.yaml
@@ -195,8 +195,10 @@ tokengen:
   extraVolumes: []
   # -- Additional volume mounts for Pods
   extraVolumeMounts: []
+  # -- Run containers as user `enterprise-logs(uid=10001)`
   securityContext:
     runAsNonRoot: true
+    runAsGroup: 10001
     runAsUser: 10001
     fsGroup: 10001
 
@@ -210,14 +212,18 @@ adminApi:
   labels: {}
   # -- Additional annotations for the `admin-api` Deployment
   annotations: {}
-
+  # -- Additional labels and annotations for the `admin-api` Service
   service:
-    # -- Additional labels for the `admin-api` Service
     labels: {}
-    # -- Additional annotations for the `admin-api` Service
     annotations: {}
+  # -- Run container as user `enterprise-logs(uid=10001)`
+  # `fsGroup` must not be specified, because these security options are applied
+  # on container level not on Pod level.
+  securityContext:
+    runAsNonRoot: true
+    runAsGroup: 10001
+    runAsUser: 10001
 
-  securityContext: {}
   strategy:
     type: RollingUpdate
 
@@ -269,17 +275,20 @@ gateway:
   labels: {}
   # -- Additional annotations for the `gateway` Pod
   annotations: {}
-
+  # -- Additional labels and annotations for the `gateway` Service
   service:
-    # -- Additional labels for the `gateway` Service
     labels: {}
-    # -- Additional annotations for the `gateway` Service
     annotations: {}
+  # -- Run container as user `enterprise-logs(uid=10001)`
+  securityContext:
+    runAsNonRoot: true
+    runAsGroup: 10001
+    runAsUser: 10001
+    fsGroup: 10001
 
   # If you want to use your own proxy URLs, set this to false.
   useDefaultProxyURLs: true
 
-  securityContext: {}
   strategy:
     type: RollingUpdate
 
@@ -332,14 +341,17 @@ compactor:
   labels: {}
   # -- Additional annotations for the `compactor` Pod
   annotations: {}
-
+  # -- Additional labels and annotations for the `compactor` Service
   service:
-    # -- Additional labels for the `compactor` Service
     labels: {}
-    # -- Additional annotations for the `compactor` Service
     annotations: {}
+  # -- Run containers as user `enterprise-logs(uid=10001)`
+  securityContext:
+    runAsNonRoot: true
+    runAsGroup: 10001
+    runAsUser: 10001
+    fsGroup: 10001
 
-  securityContext: {}
   strategy:
     type: RollingUpdate
 
@@ -449,7 +461,7 @@ loki-distributed:
   # RBAC configuration
   rbac:
     # -- If enabled, a PodSecurityPolicy is created
-    pspEnabled: false
+    pspEnabled: true
 
   # -- Compactor is defined in parent chart
   compactor: