-
Notifications
You must be signed in to change notification settings - Fork 90
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #414 from SSIRKC/patch-1
doc: TRG 4.07: Read-Only Filesystem (DRAFT)
- Loading branch information
Showing
1 changed file
with
134 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,134 @@ | ||
| --- | ||
| title: TRG 4.07 - Read-only filesystems | ||
| --- | ||
|
|
||
| :::caution | ||
| Proposed release date: 01st of Nov 2023 | ||
| ::: | ||
|
|
||
| | Status | Created | Post-History | | ||
| |------------|--------------|----------------------------------------| | ||
| | Draft | 03-Octo-2023 | Initial contribution | | ||
| | Draft | 11-Nove-2023 | Added fixes to overwrite tmp | | ||
|
|
||
| ## Why | ||
|
|
||
| The read-only root filesystem right can limit the impact of container compromise when set properly. | ||
| This can prevent malicous processes or applications from writing back to the host file system. | ||
| Such a setting can be an extra protection layer to prevent an attack. | ||
|
|
||
| ## Description | ||
|
|
||
| The read-only filesystem configuration is defined in the deployment yaml. The security context parameters are assigned to the pod. | ||
| This ensures that unpriviledged access cannot be abused to install malicous software of write to the file system. This control is by default false. | ||
| Therefore it is to be considered for each deployment if the flag can be set to the recommended value "true". Only read in this case. | ||
|
|
||
| ### Implementation | ||
|
|
||
| The container's **Pod resource file (yaml)** has to be modified to set rights to read-only. | ||
|
|
||
| Mounts the container's root filesystem as read-only: | ||
|
|
||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: read-only | ||
| spec: | ||
| containers: | ||
| ... | ||
| # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod | ||
| securityContext: | ||
| capabilities: | ||
| # -- Specifies which capabilities to drop to reduce syscall attack surface | ||
| drop: | ||
| - ALL | ||
| # -- Specifies which capabilities to add to issue specialized syscalls | ||
| add: [] | ||
| # -- Whether the root filesystem is mounted in read-only mode | ||
| readOnlyRootFilesystem: true | ||
| # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID | ||
| allowPrivilegeEscalation: false | ||
| # -- Requires the container to run without root privileges | ||
| runAsNonRoot: true | ||
| # -- The container's process will run with the specified uid | ||
| runAsUser: 10001 | ||
| ``` | ||
| In some cases you might encounter the issue that tmp cannot be overwritten: | ||
| ```log | ||
| [emerg] 1#1: mkdir() "/tmp/proxy_temp" failed (30: Read-only file system) | ||
| nginx: [emerg] mkdir() "/tmp/proxy_temp" failed (30: Read-only file system) | ||
| ``` | ||
| To fix this you need to make tmp writeable and mount /tmp to emptyDir. | ||
| ```yaml | ||
| spec: | ||
| securityContext: | ||
| runAsUser: 999 | ||
| containers: | ||
| - image: nginxinc/nginx-unprivileged:latest | ||
| imagePullPolicy: Always | ||
| name: nginx | ||
| ports: | ||
| - containerPort: 8080 //ONLY open ports that are necessary to run | ||
| protocol: TCP | ||
| securityContext: | ||
| capabilities: | ||
| drop: | ||
| - NET_RAW //ONLY required if your containers have NET_RAW capability | ||
| runAsNonRoot: true | ||
| allowPrivilegeEscalation: false | ||
| readOnlyRootFilesystem: true | ||
| resources: //Set proper limits for your container | ||
| . | ||
| . | ||
| . | ||
| volumeMounts: | ||
| - mountPath: /tmp | ||
| name: tmp | ||
| volumes: | ||
| - emptyDir: {} | ||
| name: tmp | ||
| ``` | ||
| Checkout these great Tractus-X template examples. | ||
| K8s Deployment: | ||
| [EDC Security Context 1](https://github.com/eclipse-tractusx/tractusx-edc/blob/112fc6e86202ce6a64a88142899a425abfbfd364/charts/tractusx-connector/templates/deployment-controlplane.yaml#L54-L55) | ||
| [EDC Security Context 2](https://github.com/eclipse-tractusx/tractusx-edc/blob/112fc6e86202ce6a64a88142899a425abfbfd364/charts/tractusx-connector/templates/deployment-controlplane.yaml#L81-L82) | ||
| Values.yaml: | ||
| [EDC Security Context 3](https://github.com/eclipse-tractusx/tractusx-edc/blob/112fc6e86202ce6a64a88142899a425abfbfd364/charts/tractusx-connector/values.yaml#L145-L155) | ||
| [EDC Security Context 4](https://github.com/eclipse-tractusx/tractusx-edc/blob/112fc6e86202ce6a64a88142899a425abfbfd364/charts/tractusx-connector/values.yaml#L156-L171) | ||
| ### Temporary Folders (If needed) | ||
| A temporary filesystem (tmpfs) works similiar like a regular volume. Everything written to this filesystem will be removed when the container gets terminated. | ||
| In the case that an executable in your container should need a temporary folder for logging or spooling purposes, you can mount a writable emptydir volume as follows: | ||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: temporary-folder | ||
| spec: | ||
| containers: | ||
| - name: sample-container-which-needs-temporary-folder | ||
| image: your-image | ||
| securityContext: | ||
| readOnlyRootFilesystem: true | ||
| volumeMounts: | ||
| - name: tempfolder | ||
| mountPath: /tmp | ||
| readOnly: false | ||
| volumes: | ||
| - name: tempfolder | ||
| emptyDir: {} | ||
| ``` |