From b604858202a4de09ac6b14d63eec9a26c97490db Mon Sep 17 00:00:00 2001 From: Andi Skrgat Date: Fri, 24 Jan 2025 11:52:13 +0100 Subject: [PATCH 1/2] Update security context for changing permissions of volume mounts --- .../templates/coordinators.yaml | 18 ++++++------------ .../templates/data.yaml | 18 ++++++------------ charts/memgraph-high-availability/values.yaml | 7 ++++--- 3 files changed, 16 insertions(+), 27 deletions(-) diff --git a/charts/memgraph-high-availability/templates/coordinators.yaml b/charts/memgraph-high-availability/templates/coordinators.yaml index c6fef61..0dab291 100644 --- a/charts/memgraph-high-availability/templates/coordinators.yaml +++ b/charts/memgraph-high-availability/templates/coordinators.yaml @@ -82,23 +82,21 @@ spec: - name: memgraph-coordinator-{{ $coordinator.id }}-log-storage mountPath: /var/log/memgraph command: [ "/bin/sh","-c" ] - args: [ "chown -R memgraph:memgraph /var/log; chown -R memgraph:memgraph /var/lib" ] + args: [ "chown -R memgraph:memgraph /var/log/memgraph; chown -R memgraph:memgraph /var/lib/memgraph" ] securityContext: - privileged: true - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true + runAsUser: 0 # Run as root capabilities: - drop: [ "all" ] + drop: [ "ALL" ] add: [ "CHOWN" ] - runAsUser: 0 - runAsNonRoot: false - {{- if $.Values.sysctlInitContainer.enabled }} + {{- if $.Values.sysctlInitContainer.enabled }} - name: init-sysctl image: busybox command: ['sh', '-c', 'sysctl -w vm.max_map_count={{ $.Values.sysctlInitContainer.maxMapCount }}'] securityContext: privileged: true runAsUser: 0 - {{- end }} + {{- end }} containers: - name: memgraph-coordinator @@ -140,9 +138,7 @@ spec: spec: accessModes: - {{ $.Values.storage.libStorageAccessMode}} - {{- if $.Values.storage.libStorageClassName }} storageClassName: {{ $.Values.storage.libStorageClassName }} - {{- end }} resources: requests: storage: {{ $.Values.storage.libPVCSize }} @@ -152,9 +148,7 @@ spec: spec: accessModes: - {{ $.Values.storage.logStorageAccessMode}} - {{- if $.Values.storage.logStorageClassName }} storageClassName: {{ $.Values.storage.logStorageClassName }} - {{- end }} resources: requests: storage: {{ $.Values.storage.logPVCSize }} diff --git a/charts/memgraph-high-availability/templates/data.yaml b/charts/memgraph-high-availability/templates/data.yaml index fc42def..88be229 100644 --- a/charts/memgraph-high-availability/templates/data.yaml +++ b/charts/memgraph-high-availability/templates/data.yaml @@ -92,23 +92,21 @@ spec: - name: memgraph-data-{{ $data.id }}-log-storage mountPath: /var/log/memgraph command: [ "/bin/sh","-c" ] - args: [ "chown -R memgraph:memgraph /var/log; chown -R memgraph:memgraph /var/lib" ] + args: [ "chown -R memgraph:memgraph /var/log/memgraph; chown -R memgraph:memgraph /var/lib/memgraph" ] securityContext: - privileged: true - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true + runAsUser: 0 # Run as root capabilities: - drop: [ "all" ] + drop: [ "ALL" ] add: [ "CHOWN" ] - runAsUser: 0 - runAsNonRoot: false - {{- if $.Values.sysctlInitContainer.enabled }} + {{- if $.Values.sysctlInitContainer.enabled }} - name: init-sysctl image: busybox command: ['sh', '-c', 'sysctl -w vm.max_map_count={{ $.Values.sysctlInitContainer.maxMapCount }}'] securityContext: privileged: true runAsUser: 0 - {{- end }} + {{- end }} containers: - name: memgraph-data @@ -150,9 +148,7 @@ spec: spec: accessModes: - {{ $.Values.storage.libStorageAccessMode}} - {{- if $.Values.storage.libStorageClassName }} storageClassName: {{ $.Values.storage.libStorageClassName }} - {{- end }} resources: requests: storage: {{ $.Values.storage.libPVCSize }} @@ -161,9 +157,7 @@ spec: spec: accessModes: - {{ $.Values.storage.logStorageAccessMode}} - {{- if $.Values.storage.logStorageClassName }} storageClassName: {{ $.Values.storage.logStorageClassName }} - {{- end }} resources: requests: storage: {{ $.Values.storage.logPVCSize }} diff --git a/charts/memgraph-high-availability/values.yaml b/charts/memgraph-high-availability/values.yaml index c8dc389..58bf726 100644 --- a/charts/memgraph-high-availability/values.yaml +++ b/charts/memgraph-high-availability/values.yaml @@ -1,6 +1,7 @@ image: - repository: memgraph/memgraph - tag: 2.22.0 + repository: memgraphacrha.azurecr.io/memgraph/memgraph + #tag: 2.22.0_23_8cb3c39c21 + tag: 2.22.0_30_8a58da1477 pullPolicy: IfNotPresent env: @@ -11,7 +12,7 @@ storage: libPVCSize: "1Gi" libStorageAccessMode: "ReadWriteOnce" # By default the name of the storage class isn't set which means that the default storage class will be used. - # If you set any name, such storage class must exist. + # If you set any name, the storage class with such name must exist. libStorageClassName: logPVCSize: "1Gi" logStorageAccessMode: "ReadWriteOnce" From aedd89bbf6cd5b7ba22cdb509ac0a8c482f42bed Mon Sep 17 00:00:00 2001 From: Andi Skrgat Date: Fri, 24 Jan 2025 12:17:14 +0100 Subject: [PATCH 2/2] Update security context for the running container --- .../memgraph-high-availability/templates/coordinators.yaml | 6 ++++++ charts/memgraph-high-availability/templates/data.yaml | 6 ++++++ charts/memgraph-high-availability/values.yaml | 7 +++---- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/charts/memgraph-high-availability/templates/coordinators.yaml b/charts/memgraph-high-availability/templates/coordinators.yaml index 0dab291..ef802d7 100644 --- a/charts/memgraph-high-availability/templates/coordinators.yaml +++ b/charts/memgraph-high-availability/templates/coordinators.yaml @@ -132,6 +132,12 @@ spec: mountPath: /var/lib/memgraph - name: memgraph-coordinator-{{ $coordinator.id }}-log-storage mountPath: /var/log/memgraph + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + # Run by 'memgraph' user as specified in the Dockerfile + volumeClaimTemplates: - metadata: name: memgraph-coordinator-{{ $coordinator.id }}-lib-storage diff --git a/charts/memgraph-high-availability/templates/data.yaml b/charts/memgraph-high-availability/templates/data.yaml index 88be229..26f6e99 100644 --- a/charts/memgraph-high-availability/templates/data.yaml +++ b/charts/memgraph-high-availability/templates/data.yaml @@ -142,6 +142,12 @@ spec: mountPath: /var/lib/memgraph - name: memgraph-data-{{ $data.id }}-log-storage mountPath: /var/log/memgraph + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + # Run by 'memgraph' user as specified in the Dockerfile + volumeClaimTemplates: - metadata: name: memgraph-data-{{ $data.id }}-lib-storage diff --git a/charts/memgraph-high-availability/values.yaml b/charts/memgraph-high-availability/values.yaml index 58bf726..c8dc389 100644 --- a/charts/memgraph-high-availability/values.yaml +++ b/charts/memgraph-high-availability/values.yaml @@ -1,7 +1,6 @@ image: - repository: memgraphacrha.azurecr.io/memgraph/memgraph - #tag: 2.22.0_23_8cb3c39c21 - tag: 2.22.0_30_8a58da1477 + repository: memgraph/memgraph + tag: 2.22.0 pullPolicy: IfNotPresent env: @@ -12,7 +11,7 @@ storage: libPVCSize: "1Gi" libStorageAccessMode: "ReadWriteOnce" # By default the name of the storage class isn't set which means that the default storage class will be used. - # If you set any name, the storage class with such name must exist. + # If you set any name, such storage class must exist. libStorageClassName: logPVCSize: "1Gi" logStorageAccessMode: "ReadWriteOnce"