Security issue about moon-deploy HOT 14 CLOSED

Related to aerokube/moon#128.

from moon-deploy.

@vania-pooh and when it will be done?) Year has gone since you opened that issue :)

from moon-deploy.

@Asgoret added docs about it here: https://aerokube.com/moon/latest/#_using_custom_service_account

from moon-deploy.

@vania-pooh Thanks! I will try this and open error issue if something goes wrong :)

from moon-deploy.

@vania-pooh one question...

I guess it's the SELinux problem. Is there any security workaround to fix it? I already create service.json but it doesn't help.

2020/04/20 16:30:41 [FORBIDDEN_TO_CREATE_POD] [browsers] [<IP NODE 1>, <IP NODE 2>] [chrome-48-0-d0cad75f-26c4-4754-be7a-495cc599f093] [pods "chrome-48-0-d0cad75f-26c4-4754-be7a-495cc599f093" is forbidden: unable to validate against any security context constraint: [capabilities.add: Invalid value: "SYS_ADMIN": capability may not be added]] [0.01s]

service.json

  - kind: ConfigMap
    apiVersion: v1
    metadata:
      labels:
        app: moon
      name: config
      namespace: moon
    data:
      service.json: |
        {
          "kernelCaps": [ "SYS_ADMIN" ]
        }

from moon-deploy.

@Asgoret this was fixed in Moon 1.4.2. Starting from this release it does not add SYS_ADMIN capability.

from moon-deploy.

@vania-pooh And another (in OKD 3.11 if it's necessary :)

2020/04/21 07:28:24 [FORBIDDEN_TO_CREATE_POD] [browsers] [<POD IP 1>, <POD IP 2>] [chrome-48-0-9624ff5b-923d-4b66-ac6a-5b00eb1c9033] [pods "chrome-48-0-9624ff5b-923d-4b66-ac6a-5b00eb1c9033" is forbidden: unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{65534}: 65534 is not an allowed group spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 106: must be in the ranges: [1000330000, 1000339999] spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 106: must be in the ranges: [1000330000, 1000339999]]] [0.03s]

UPD#1: runAs doesn't work. Is there any way for disabling static UID\GID?
UPD#1.1: Add SCC anyuid to SA
UPD#2: Can't mount token
UPD#2.2: Add the resource PVC to the role for SA

from moon-deploy.

@vania-pooh I think that I found all security issues, so some update for documentation (or template for openshift as you decide):

1. Namespace role for service:

  - kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      labels:
        app: moon
      name: moon-role
      annotations:
        rbac.authorization.kubernetes.io/autoupdate: 'false'
    rules:
      - verbs:
          - create
          - delete
          - get
          - list
          - watch
        apiGroups:
          - ''
        resources:
          - pods
      - verbs:
          - get
          - list
          - watch
        apiGroups:
          - ''
        resources:
          - configmaps
          - resourcequotas
          - secrets  
          - services
          - persistentvolumeclaims

And 1 question: why pod with browser mount secret of default SA? It must mount token for his define SA

from moon-deploy.

@vania-pooh Also not added in openshift deploy: #63

from moon-deploy.

@Asgoret we are trying to not overcomplicate things. For the majority of users default settings should work. So we prefer to describe a working approach in documentation.

from moon-deploy.

@vania-pooh Well... It's not very complicated if you deploy it in openshift\okd because there a lot of other security stuff :) Anyway it's just good practice to do security deployments and don't give useless privileges to service accounts or users :)

Is there any way to add flag --no-sandbox to chrome & opera pods? I can't find in documentation in which place it will work (it needs because chromium tries to create new user namespace and moves there, but kernel settings don't allow this by default. So you must start them in privileged mode or change the default setting of your kernel)

UPD#1: Also plz add it to documentation for section OKD|Openshift

1. Command which allow start pods from any uid (because UID|GID hardcoded) needs for all:

• oc adm policy add-scc-to-user anyuid -z moon

UPD#2: Also catch this error, but as I know doesn't affect on work pods
Error from chromium 80 pod logs:
Failed to connect to the bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory

from moon-deploy.

@Asgoret

Is there any way to add flag --no-sandbox to chrome & opera pods?

Chrome flags could be passed from Selenium capabilities.

Failed to connect to the bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory

Simply ignore this. We don't have DBUS inside browser images.

from moon-deploy.

@vania-pooh I'm not very familiar with selenium. You mean it's our testers must encode it on client-side or I must add this flag on server-side?

UPD: Test with testers, on client-side

from moon-deploy.

@Asgoret they should specify in their tests something like this (below is a Java example):

final ChromeOptions browser = new ChromeOptions();
browser.addArguments("no-sandbox");

from moon-deploy.