Ensure templates ready for running containers as non-root

WhatsApp · Sep 19, 2023 · 0b7a913 · 0b7a913
1 parent 3fc1a47
commit 0b7a913
Show file tree

Hide file tree

Showing 8 changed files with 144 additions and 20 deletions.
diff --git a/src/azure/k8s-deployment.tf b/src/azure/k8s-deployment.tf
@@ -151,6 +151,11 @@ resource "kubernetes_deployment" "webapp" {
             }
           }
 
+          security_context {
+            run_as_user = 9009
+            fs_group    = 9009
+          }
+
           port {
             container_port = 443
           }
@@ -274,6 +279,11 @@ resource "kubernetes_deployment" "coreapp" {
             }
           }
 
+#          security_context {
+#            run_as_user = 9009
+#            fs_group    = 9009
+#          }
+
           port {
             container_port = 6250
           }
@@ -388,6 +398,13 @@ resource "kubernetes_deployment" "masterapp" {
             }
           }
 
+#          security_context {
+#            run_as_user  = "9009"
+#            run_as_group = "9009"
+#            fs_group     = "9009"
+#            run_as_non_root = true
+#          }
+
           port {
             container_port = 6250
           }

diff --git a/src/common_security_settings/output.tf b/src/common_security_settings/output.tf
diff --git a/src/common_security_settings/variables.tf b/src/common_security_settings/variables.tf
diff --git a/src/gcp/common_security.tf b/src/gcp/common_security.tf
@@ -0,0 +1,62 @@
+#
+# Copyright (c) Meta Platforms, Inc. and affiliates.
+
+# This source code is licensed under the MIT license found in the
+# LICENSE file in the root directory of this source tree.
+#
+
+# WhatsApp Business API GCP Template Version 1.0.0
+
+# General Configuration
+
+resource "kubernetes_pod_security_policy_v1beta1" "common_security_policy" {
+  metadata {
+    name = "common-security-policy"
+  }
+
+  spec {
+    privileged                 = false
+    allow_privilege_escalation = false
+
+    volumes = [
+      "*"
+    ]
+
+    run_as_user {
+      rule = "MustRunAs"
+      range {
+        min = var.user_id
+        max = var.user_id
+      }
+    }
+
+    se_linux {
+      rule = "RunAsAny"
+    }
+
+    run_as_group {
+       rule = "MustRunAs"
+      range {
+        min = var.group_id
+        max = var.group_id
+      }
+    }
+
+    supplemental_groups {
+      rule = "MustRunAs"
+      range {
+        min = var.supp_group_min
+        max = var.supp_group_max
+      }
+    }
+
+    fs_group {
+      rule = "MustRunAs"
+      range {
+        min = var.user_id
+        max = var.user_id
+      }
+    }
+    read_only_root_filesystem = true
+  }
+}
diff --git a/src/gcp/k8s-config.tf b/src/gcp/k8s-config.tf
@@ -47,7 +47,7 @@ resource "kubernetes_config_map" "env" {
     WA_DB_ENGINE                  = "MYSQL"
     WA_CONFIG_ON_DB               = "1"
     WA_RUNNING_ENV                = "GCP"
-    WA_APP_MULTICONNECT           = "1"
+    WA_APP_MULTICONNECT           = "0"
     WA_DB_CONNECTION_IDLE_TIMEOUT = "180000"
   }
 }

diff --git a/src/gcp/k8s-monitor.tf b/src/gcp/k8s-monitor.tf
@@ -194,12 +194,12 @@ resource "kubernetes_deployment" "monitor" {
         }
 
         container {
-          image = "docker.whatsapp.biz/prometheus:${var.api-version}"
+          image = "us-docker.pkg.dev/wa-bapi-test-gcp-rvsns/whatsapp-enterprise/prometheus:${var.api-version}"
           name  = "prometheus"
-
-          security_context {
-            run_as_user = 0
-          }
+#
+#          security_context {
+#            run_as_user = 0
+#          }
 
           volume_mount {
             name       = local.prom-vol
@@ -231,7 +231,7 @@ resource "kubernetes_deployment" "monitor" {
 
 
         container {
-          image = "docker.whatsapp.biz/grafana:${var.api-version}"
+          image = "us-docker.pkg.dev/wa-bapi-test-gcp-rvsns/whatsapp-enterprise/grafana:${var.api-version}"
           name  = "grafana"
 
           volume_mount {

diff --git a/src/gcp/k8s-waent.tf b/src/gcp/k8s-waent.tf
@@ -40,7 +40,7 @@ locals {
 
 
 locals {
-  number_of_masterapp = 2
+  number_of_masterapp = 0
   mysql_credential_mount_path = "/var/mysql/credential"
   mysql_init_vol              = "mysql-init-vol"
   mysql_init_mount_path       = "/var/mysql/init"
@@ -57,7 +57,7 @@ locals {
   config_map_ref_name         = "config-env"
   config_map_ref_name_master  = "config-master"
   secret_map_ref_name         = "secret-env"
-  init_cmd                    = "export WA_DB_SSL_CA= && cd /opt/whatsapp/bin && ./launch_within_docker.sh"                                                     #DB in VM
+  init_cmd                    = "export WA_DB_SSL_CA= && export WA_WEB_JWT_CRYPTO_KEY='V2hhdDVBcHBFbnRlcnByaTUzQzFpZW50SE1BQ1NlY3IzdAo=' && cd /opt/whatsapp/bin && ./launch_within_docker.sh"                                                     #DB in VM
   init_cmd_coreapp            = "export WA_DB_SSL_CA= && cd /opt/whatsapp/bin && IP=$(hostname -I) && export COREAPP_HOSTNAME=$IP && ./launch_within_docker.sh" #DB in VM
 }
 
@@ -76,7 +76,8 @@ resource "kubernetes_deployment" "webapp" {
     }
   }
   spec {
-    replicas = var.map_web_server_count[var.throughput]
+    replicas = 1
+#    var.map_web_server_count[var.throughput]
     selector {
       match_labels = {
         type = "webapp"
@@ -116,8 +117,14 @@ resource "kubernetes_deployment" "webapp" {
           }
         }
 
+        security_context {
+          run_as_group    = var.group_id
+          run_as_non_root = var.run_as_non_root
+          run_as_user     = var.user_id
+          fs_group        = var.group_id
+        }
+
         container {
-          image = "docker.whatsapp.biz/web:${var.api-version}"
           name  = "webapp"
 
           command = ["/bin/sh", "-c"]
@@ -197,7 +204,8 @@ resource "kubernetes_deployment" "coreapp" {
   }
 
   spec {
-    replicas = var.map_shards_count[var.throughput] + 1 // one more for disconnected HA coreapp
+    replicas = 1
+#    var.map_shards_count[var.throughput] + 1 // one more for disconnected HA coreapp
     selector {
       match_labels = {
         type = "coreapp"
@@ -237,6 +245,13 @@ resource "kubernetes_deployment" "coreapp" {
           }
         }
 
+        security_context {
+          run_as_group    = var.group_id
+          run_as_non_root = var.run_as_non_root
+          run_as_user     = var.user_id
+          fs_group        = var.group_id
+        }
+
         volume {
           name = local.media_vol
           persistent_volume_claim {
@@ -249,7 +264,6 @@ resource "kubernetes_deployment" "coreapp" {
         }
 
         container {
-          image = "docker.whatsapp.biz/coreapp:${var.api-version}"
           name  = "coreapp"
 
           command = ["/bin/sh", "-c"]
@@ -368,8 +382,14 @@ resource "kubernetes_deployment" "masterapp" {
           }
         }
 
+        security_context {
+          run_as_group    = var.group_id
+          run_as_non_root = var.run_as_non_root
+          run_as_user     = var.user_id
+          fs_group        = var.group_id
+        }
+
         container {
-          image = "docker.whatsapp.biz/coreapp:${var.api-version}"
           name  = "masterapp"
 
           command = ["/bin/sh", "-c"]

diff --git a/src/gcp/variables.tf b/src/gcp/variables.tf
@@ -9,7 +9,7 @@
 
 # General Configuration
 variable "name-prefix" {
-  default = ""
+  default = "melunonroot"
 }
 
 # Filling out before you start
@@ -61,12 +61,12 @@ variable "message_type" {
 
 # WhatsApp Business API Configuration
 variable "api-version" {
-   default = "v2.45.2"
+   default = "v2.47.8"
 }
 
 # Database Configuration
 variable "dbusername" {
-  default = "dbadmin"
+  default = "root"
 }
 
 variable "dbpassword" {
@@ -76,7 +76,7 @@ variable "dbpassword" {
     condition     = length(var.dbpassword) > 0
     error_message = "Database admin user password cannot be empty. Should NOT contain any of these characters: ?{}&~!()^="
   }
-  default = ""
+  default = "root1234"
 }
 
 variable "DBCertURL" {
@@ -96,7 +96,7 @@ variable "mon-web-username" {
 
 #Login in password
 variable "mon-web-password" {
-  default = ""
+  default = "New$3cret"
   description = "Set the Grafana dashboard login password"
   validation {
     condition     = length(var.mon-web-password) > 0
@@ -132,5 +132,30 @@ variable "wabiz-web-password" {
     condition     = length(var.wabiz-web-password) >= 8 && length(var.wabiz-web-password) <= 64
     error_message = "Password needs to be 8-64 characters long with at least 1 digit, 1 uppercase letter, 1 lowercase letter and 1 special character"
   }
-  default = ""
+  default = "New$3cret"
+}
+
+variable "user_id" {
+  description = "The user ID for security context"
+  default = 9009
+}
+
+variable "group_id" {
+  description = "The group ID for security context"
+  default = 9009
+}
+
+variable "supp_group_min" {
+  description = "The minimum value for supplemental groups range"
+  default = 1
+}
+
+variable "supp_group_max" {
+  description = "The maximum value for supplemental groups range"
+  default = 9090
+}
+
+variable "run_as_non_root" {
+  description = "Specifies if we are running the application as non-root or not"
+  default = true
 }