Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update security context for HA chart #106

Merged
merged 2 commits into from
Jan 27, 2025
Merged

Update security context for HA chart #106

merged 2 commits into from
Jan 27, 2025

Conversation

as51340
Copy link
Collaborator

@as51340 as51340 commented Jan 24, 2025
edited
Loading

The PR deals with two things:

  1. Improving securityContext of init container
    Init container needs to be run with root permissions. fsGroup is not respected on all cloud platforms (tried on Azure AKS and didn't work) so the most general solution is using init container. Changing ownership of /var/log/memgraph and /var/lib/memgraph is enough. For that you don't need privileged access. runAsNonRoot field was unnecessary. Dropping all capabilities requires ALL instead of all.
  2. Improving securityContext of memgraph-coordinator container
    The user 'memgraph' runs memgraph-coordinator container. Improved version removes all capabilities from memgraph user and forbids privilege escalation.

@as51340 as51340 added this to the Memgraph 2.23 milestone Jan 24, 2025
@as51340 as51340 self-assigned this Jan 24, 2025
@as51340 as51340 force-pushed the update-security-context branch from 8c572e5 to a145e76 Compare January 24, 2025 12:03
This was linked to issues Jan 24, 2025
Memgraph HA chart requires privileged access for init container #107
Closed
Restrict permissions of Memgraph HA chart #108
Closed
@as51340 as51340 mentioned this pull request Jan 24, 2025
Merged
11 tasks
antejavor
antejavor approved these changes Jan 27, 2025
View reviewed changes
Copy link
Collaborator

@antejavor antejavor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@as51340 as51340 added the memgraph-ha Memgraph HA chart issue label Jan 27, 2025
@as51340 as51340 force-pushed the update-security-context branch from a145e76 to aedd89b Compare January 27, 2025 12:55
@as51340 as51340 merged commit c6fb726 into main Jan 27, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antejavor antejavor antejavor approved these changes

@katarinasupe katarinasupe Awaiting requested review from katarinasupe katarinasupe is a code owner

Assignees

@as51340 as51340

Labels
memgraph-ha Memgraph HA chart issue
Projects
None yet
Milestone
Memgraph 2.23
Development

Successfully merging this pull request may close these issues.

Restrict permissions of Memgraph HA chart Memgraph HA chart requires privileged access for init container
2 participants
@as51340 @antejavor