Comments (14)
Related to aerokube/moon#128.
from moon-deploy.
@vania-pooh and when it will be done?) Year has gone since you opened that issue :)
from moon-deploy.
@Asgoret added docs about it here: https://aerokube.com/moon/latest/#_using_custom_service_account
from moon-deploy.
@vania-pooh Thanks! I will try this and open error issue if something goes wrong :)
from moon-deploy.
@vania-pooh one question...
I guess it's the SELinux problem. Is there any security workaround to fix it? I already create service.json
but it doesn't help.
2020/04/20 16:30:41 [FORBIDDEN_TO_CREATE_POD] [browsers] [<IP NODE 1>, <IP NODE 2>] [chrome-48-0-d0cad75f-26c4-4754-be7a-495cc599f093] [pods "chrome-48-0-d0cad75f-26c4-4754-be7a-495cc599f093" is forbidden: unable to validate against any security context constraint: [capabilities.add: Invalid value: "SYS_ADMIN": capability may not be added]] [0.01s]
service.json
- kind: ConfigMap
apiVersion: v1
metadata:
labels:
app: moon
name: config
namespace: moon
data:
service.json: |
{
"kernelCaps": [ "SYS_ADMIN" ]
}
from moon-deploy.
@Asgoret this was fixed in Moon 1.4.2. Starting from this release it does not add SYS_ADMIN
capability.
from moon-deploy.
@vania-pooh And another (in OKD 3.11 if it's necessary :)
2020/04/21 07:28:24 [FORBIDDEN_TO_CREATE_POD] [browsers] [<POD IP 1>, <POD IP 2>] [chrome-48-0-9624ff5b-923d-4b66-ac6a-5b00eb1c9033] [pods "chrome-48-0-9624ff5b-923d-4b66-ac6a-5b00eb1c9033" is forbidden: unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{65534}: 65534 is not an allowed group spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 106: must be in the ranges: [1000330000, 1000339999] spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 106: must be in the ranges: [1000330000, 1000339999]]] [0.03s]
UPD#1: runAs
doesn't work. Is there any way for disabling static UID\GID?
UPD#1.1: Add SCC anyuid
to SA
UPD#2: Can't mount token
UPD#2.2: Add the resource PVC to the role for SA
from moon-deploy.
@vania-pooh I think that I found all security issues, so some update for documentation (or template for openshift as you decide):
- Namespace role for service:
- kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
app: moon
name: moon-role
annotations:
rbac.authorization.kubernetes.io/autoupdate: 'false'
rules:
- verbs:
- create
- delete
- get
- list
- watch
apiGroups:
- ''
resources:
- pods
- verbs:
- get
- list
- watch
apiGroups:
- ''
resources:
- configmaps
- resourcequotas
- secrets
- services
- persistentvolumeclaims
And 1 question: why pod with browser mount secret of default SA? It must mount token for his define SA
from moon-deploy.
@vania-pooh Also not added in openshift deploy: #63
from moon-deploy.
@Asgoret we are trying to not overcomplicate things. For the majority of users default settings should work. So we prefer to describe a working approach in documentation.
from moon-deploy.
@vania-pooh Well... It's not very complicated if you deploy it in openshift\okd because there a lot of other security stuff :) Anyway it's just good practice to do security deployments and don't give useless privileges to service accounts or users :)
Is there any way to add flag --no-sandbox
to chrome & opera pods? I can't find in documentation in which place it will work (it needs because chromium tries to create new user namespace and moves there, but kernel settings don't allow this by default. So you must start them in privileged mode or change the default setting of your kernel)
UPD#1: Also plz add it to documentation for section OKD|Openshift
- Command which allow start pods from any uid (because UID|GID hardcoded) needs for all:
oc adm policy add-scc-to-user anyuid -z moon
UPD#2: Also catch this error, but as I know doesn't affect on work pods
Error from chromium 80 pod logs:
Failed to connect to the bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory
from moon-deploy.
Is there any way to add flag --no-sandbox to chrome & opera pods?
Chrome flags could be passed from Selenium capabilities.
Failed to connect to the bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory
Simply ignore this. We don't have DBUS inside browser images.
from moon-deploy.
@vania-pooh I'm not very familiar with selenium. You mean it's our testers must encode it on client-side or I must add this flag on server-side?
UPD: Test with testers, on client-side
from moon-deploy.
@Asgoret they should specify in their tests something like this (below is a Java example):
final ChromeOptions browser = new ChromeOptions();
browser.addArguments("no-sandbox");
from moon-deploy.
Related Issues (20)
- Least Priviledge Deployment for Kubernetes HOT 1
- Migrate from Ingress extensions/v1beta1 to avoid being broken in 1.22 HOT 3
- Moon htpasswd does not limit access HOT 1
- Slow tests
- Only "moon_browser_total" metric available in Prometheus HOT 7
- Wrong pod count if used as requirement in a helm chart
- Affinity for pods HOT 1
- htpasswd needs to be base64 in helm chart HOT 2
- user quota via helm HOT 1
- apiVersion: core/v1 doesnt work with kubernetes v1.14.7 or v1.15.4 HOT 4
- Subdomain service does not work in Kubernetes 1.11
- Added liveness and readiness probe
- upload to s3 via iam role HOT 6
- Ingress for moon-ui doesn't affect base paths for the static js resources HOT 2
- Add to hub.helm.sh HOT 2
- "Enabled" key in resources definition breaks helm3/k8s 1.16 deployment HOT 1
- Service manifest is lacking annotations (same for ingress) HOT 2
- Missing NetworkPolicy
- Chart 1.6.0 - "" missing in port definition for Safari HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from moon-deploy.