Run VLAN NSE,NSC as non-root

zolug · zolug · commit 58c13e5fe83d · 2022-07-13T11:46:49.000+02:00
VLAN NSE does not require any changes or capabilities to run as non-root.

NSC requires CAP_DAC_OVERRIDE to write to nsm-sock, and optionally CAP_NET_RAW
to use ping from the container. (The Dockerfile must be changed accordingly.)
diff --git a/deployments/helm/templates/load-balancer.yaml b/deployments/helm/templates/load-balancer.yaml
@@ -120,6 +120,17 @@ spec:
             - name: nsm-socket
               mountPath: /var/lib/networkservicemesh
               readOnly: true
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: {{ .Values.vlanNSC.userId }}
+            runAsGroup: {{ .Values.vlanNSC.userId }}
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - all
+              add:
+              - DAC_OVERRIDE
+              - NET_RAW
         - name: fe
           image: {{ .Values.registry }}/{{ .Values.organization }}/{{ .Values.frontEnd.image }}:{{ .Values.frontEnd.version }}
           imagePullPolicy: {{ .Values.pullPolicy }}
diff --git a/deployments/helm/templates/nse-vlan.yaml b/deployments/helm/templates/nse-vlan.yaml
@@ -29,7 +29,13 @@ spec:
             - containerPort: 5003
               hostPort: 5003
           securityContext:
+            runAsNonRoot: true
+            runAsUser: {{ .Values.vlanNSE.userId }}
+            runAsGroup: {{ .Values.vlanNSE.userId }}
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - all
           env:
             - name: SPIFFE_ENDPOINT_SOCKET
               value: unix:///run/spire/sockets/agent.sock
diff --git a/deployments/helm/values.yaml b/deployments/helm/values.yaml
@@ -99,10 +99,12 @@ vlanNSE:
   probe:
     addr: :5003
     spiffe: true
+  userId: 10000
 
 vlanNSC:
   image: cmd-nsc
   version: v1.4.0
+  userId: 10000
 
 vlan:
   networkServiceName: external-vlan
