From 0b7a9130ef94ad6478d6199ec277148a6ba23494 Mon Sep 17 00:00:00 2001 From: Meluleki Dube Date: Wed, 7 Jun 2023 21:23:35 +0100 Subject: [PATCH] Ensure templates ready for running containers as non-root --- src/azure/k8s-deployment.tf | 17 +++++++ src/common_security_settings/output.tf | 0 src/common_security_settings/variables.tf | 0 src/gcp/common_security.tf | 62 +++++++++++++++++++++++ src/gcp/k8s-config.tf | 2 +- src/gcp/k8s-monitor.tf | 12 ++--- src/gcp/k8s-waent.tf | 34 ++++++++++--- src/gcp/variables.tf | 37 +++++++++++--- 8 files changed, 144 insertions(+), 20 deletions(-) create mode 100644 src/common_security_settings/output.tf create mode 100644 src/common_security_settings/variables.tf create mode 100644 src/gcp/common_security.tf diff --git a/src/azure/k8s-deployment.tf b/src/azure/k8s-deployment.tf index d3cb728..cf1c162 100644 --- a/src/azure/k8s-deployment.tf +++ b/src/azure/k8s-deployment.tf @@ -151,6 +151,11 @@ resource "kubernetes_deployment" "webapp" { } } + security_context { + run_as_user = 9009 + fs_group = 9009 + } + port { container_port = 443 } @@ -274,6 +279,11 @@ resource "kubernetes_deployment" "coreapp" { } } +# security_context { +# run_as_user = 9009 +# fs_group = 9009 +# } + port { container_port = 6250 } @@ -388,6 +398,13 @@ resource "kubernetes_deployment" "masterapp" { } } +# security_context { +# run_as_user = "9009" +# run_as_group = "9009" +# fs_group = "9009" +# run_as_non_root = true +# } + port { container_port = 6250 } diff --git a/src/common_security_settings/output.tf b/src/common_security_settings/output.tf new file mode 100644 index 0000000..e69de29 diff --git a/src/common_security_settings/variables.tf b/src/common_security_settings/variables.tf new file mode 100644 index 0000000..e69de29 diff --git a/src/gcp/common_security.tf b/src/gcp/common_security.tf new file mode 100644 index 0000000..21cdaaf --- /dev/null +++ b/src/gcp/common_security.tf @@ -0,0 +1,62 @@ +# +# Copyright (c) Meta Platforms, Inc. and affiliates. + +# This source code is licensed under the MIT license found in the +# LICENSE file in the root directory of this source tree. +# + +# WhatsApp Business API GCP Template Version 1.0.0 + +# General Configuration + +resource "kubernetes_pod_security_policy_v1beta1" "common_security_policy" { + metadata { + name = "common-security-policy" + } + + spec { + privileged = false + allow_privilege_escalation = false + + volumes = [ + "*" + ] + + run_as_user { + rule = "MustRunAs" + range { + min = var.user_id + max = var.user_id + } + } + + se_linux { + rule = "RunAsAny" + } + + run_as_group { + rule = "MustRunAs" + range { + min = var.group_id + max = var.group_id + } + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = var.supp_group_min + max = var.supp_group_max + } + } + + fs_group { + rule = "MustRunAs" + range { + min = var.user_id + max = var.user_id + } + } + read_only_root_filesystem = true + } +} \ No newline at end of file diff --git a/src/gcp/k8s-config.tf b/src/gcp/k8s-config.tf index 64fa9fc..67847c2 100644 --- a/src/gcp/k8s-config.tf +++ b/src/gcp/k8s-config.tf @@ -47,7 +47,7 @@ resource "kubernetes_config_map" "env" { WA_DB_ENGINE = "MYSQL" WA_CONFIG_ON_DB = "1" WA_RUNNING_ENV = "GCP" - WA_APP_MULTICONNECT = "1" + WA_APP_MULTICONNECT = "0" WA_DB_CONNECTION_IDLE_TIMEOUT = "180000" } } diff --git a/src/gcp/k8s-monitor.tf b/src/gcp/k8s-monitor.tf index 1c4bd84..c58b0d6 100644 --- a/src/gcp/k8s-monitor.tf +++ b/src/gcp/k8s-monitor.tf @@ -194,12 +194,12 @@ resource "kubernetes_deployment" "monitor" { } container { - image = "docker.whatsapp.biz/prometheus:${var.api-version}" + image = "us-docker.pkg.dev/wa-bapi-test-gcp-rvsns/whatsapp-enterprise/prometheus:${var.api-version}" name = "prometheus" - - security_context { - run_as_user = 0 - } +# +# security_context { +# run_as_user = 0 +# } volume_mount { name = local.prom-vol @@ -231,7 +231,7 @@ resource "kubernetes_deployment" "monitor" { container { - image = "docker.whatsapp.biz/grafana:${var.api-version}" + image = "us-docker.pkg.dev/wa-bapi-test-gcp-rvsns/whatsapp-enterprise/grafana:${var.api-version}" name = "grafana" volume_mount { diff --git a/src/gcp/k8s-waent.tf b/src/gcp/k8s-waent.tf index 5100d6f..128d2b4 100644 --- a/src/gcp/k8s-waent.tf +++ b/src/gcp/k8s-waent.tf @@ -40,7 +40,7 @@ locals { locals { - number_of_masterapp = 2 + number_of_masterapp = 0 mysql_credential_mount_path = "/var/mysql/credential" mysql_init_vol = "mysql-init-vol" mysql_init_mount_path = "/var/mysql/init" @@ -57,7 +57,7 @@ locals { config_map_ref_name = "config-env" config_map_ref_name_master = "config-master" secret_map_ref_name = "secret-env" - init_cmd = "export WA_DB_SSL_CA= && cd /opt/whatsapp/bin && ./launch_within_docker.sh" #DB in VM + init_cmd = "export WA_DB_SSL_CA= && export WA_WEB_JWT_CRYPTO_KEY='V2hhdDVBcHBFbnRlcnByaTUzQzFpZW50SE1BQ1NlY3IzdAo=' && cd /opt/whatsapp/bin && ./launch_within_docker.sh" #DB in VM init_cmd_coreapp = "export WA_DB_SSL_CA= && cd /opt/whatsapp/bin && IP=$(hostname -I) && export COREAPP_HOSTNAME=$IP && ./launch_within_docker.sh" #DB in VM } @@ -76,7 +76,8 @@ resource "kubernetes_deployment" "webapp" { } } spec { - replicas = var.map_web_server_count[var.throughput] + replicas = 1 +# var.map_web_server_count[var.throughput] selector { match_labels = { type = "webapp" @@ -116,8 +117,14 @@ resource "kubernetes_deployment" "webapp" { } } + security_context { + run_as_group = var.group_id + run_as_non_root = var.run_as_non_root + run_as_user = var.user_id + fs_group = var.group_id + } + container { - image = "docker.whatsapp.biz/web:${var.api-version}" name = "webapp" command = ["/bin/sh", "-c"] @@ -197,7 +204,8 @@ resource "kubernetes_deployment" "coreapp" { } spec { - replicas = var.map_shards_count[var.throughput] + 1 // one more for disconnected HA coreapp + replicas = 1 +# var.map_shards_count[var.throughput] + 1 // one more for disconnected HA coreapp selector { match_labels = { type = "coreapp" @@ -237,6 +245,13 @@ resource "kubernetes_deployment" "coreapp" { } } + security_context { + run_as_group = var.group_id + run_as_non_root = var.run_as_non_root + run_as_user = var.user_id + fs_group = var.group_id + } + volume { name = local.media_vol persistent_volume_claim { @@ -249,7 +264,6 @@ resource "kubernetes_deployment" "coreapp" { } container { - image = "docker.whatsapp.biz/coreapp:${var.api-version}" name = "coreapp" command = ["/bin/sh", "-c"] @@ -368,8 +382,14 @@ resource "kubernetes_deployment" "masterapp" { } } + security_context { + run_as_group = var.group_id + run_as_non_root = var.run_as_non_root + run_as_user = var.user_id + fs_group = var.group_id + } + container { - image = "docker.whatsapp.biz/coreapp:${var.api-version}" name = "masterapp" command = ["/bin/sh", "-c"] diff --git a/src/gcp/variables.tf b/src/gcp/variables.tf index 2556a60..d1c9e89 100644 --- a/src/gcp/variables.tf +++ b/src/gcp/variables.tf @@ -9,7 +9,7 @@ # General Configuration variable "name-prefix" { - default = "" + default = "melunonroot" } # Filling out before you start @@ -61,12 +61,12 @@ variable "message_type" { # WhatsApp Business API Configuration variable "api-version" { - default = "v2.45.2" + default = "v2.47.8" } # Database Configuration variable "dbusername" { - default = "dbadmin" + default = "root" } variable "dbpassword" { @@ -76,7 +76,7 @@ variable "dbpassword" { condition = length(var.dbpassword) > 0 error_message = "Database admin user password cannot be empty. Should NOT contain any of these characters: ?{}&~!()^=" } - default = "" + default = "root1234" } variable "DBCertURL" { @@ -96,7 +96,7 @@ variable "mon-web-username" { #Login in password variable "mon-web-password" { - default = "" + default = "New$3cret" description = "Set the Grafana dashboard login password" validation { condition = length(var.mon-web-password) > 0 @@ -132,5 +132,30 @@ variable "wabiz-web-password" { condition = length(var.wabiz-web-password) >= 8 && length(var.wabiz-web-password) <= 64 error_message = "Password needs to be 8-64 characters long with at least 1 digit, 1 uppercase letter, 1 lowercase letter and 1 special character" } - default = "" + default = "New$3cret" +} + +variable "user_id" { + description = "The user ID for security context" + default = 9009 +} + +variable "group_id" { + description = "The group ID for security context" + default = 9009 +} + +variable "supp_group_min" { + description = "The minimum value for supplemental groups range" + default = 1 +} + +variable "supp_group_max" { + description = "The maximum value for supplemental groups range" + default = 9090 +} + +variable "run_as_non_root" { + description = "Specifies if we are running the application as non-root or not" + default = true }