Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Security context for grafana containers (use fsgroup instead in PVC example) #1768

Open
fabio-s-franco opened this issue Nov 20, 2024 · 0 comments
Open

[Bug] Security context for grafana containers (use fsgroup instead in PVC example) #1768

fabio-s-franco opened this issue Nov 20, 2024 · 0 comments
Labels
bug Something isn't working needs triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@fabio-s-franco
Copy link

Describe the bug
The example to create a Grafana deployment with PVC does not follow security best practices. It requires writeable root file system and privilege escalation, which is in fact how, by default the operator sets the security context for the container if none is specified.
That causes the volume mou nt grafana-data to be read-only.

This issue #1439 identified this problem, however, it may have been misinterpreted and was closed as not planned.

I believe that was a mistake and in fact, if this was documented, it would have saved me a ton of time to find a solution that did not require a compromise on security and that was clean (without requiring running chown on an init-container, for example).

Version
v5.9.0

To Reproduce
Deploy the example grafana with PVC, but remove the lines:

securityContext:
  allowPrivilegeEscalation: true
  readOnlyRootFilesystem: false

The output from the container will be:

GF_PATHS_DATA='/var/lib/grafana' is not writable.
You may have issues with file permissions, more information here: http://docs.grafana.org/installation/docker/#migrate-to-v51-or-later
mkdir: can't create directory '/var/lib/grafana/plugins': Permission denied

Expected behavior
The expected behavior is that there are no permission issues in the file system.

Suspect component/Location where the bug might be occurring
Grafana CRD

Runtime (please complete the following information):

  • OS: Linux
  • Grafana Operator Version v5.9.0
  • Environment: AKS v1.28.13
  • Deployment type: Helm

Additional context

Deploying the Grafana with these security settings instead, resolve the issue. I'd suggest to replace the current example with something like this, or provide an additional example that includes this:

securityContext:
  fsGroup: 1001
containers:
  - name: grafana
    image: "grafana/grafana:9.4.3"
    securityContext:
      runAsUser: 1001
      runAsGroup: 1001
      runAsNonRoot: true
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]
@fabio-s-franco fabio-s-franco added bug Something isn't working needs triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Nov 20, 2024
@fabio-s-franco fabio-s-franco changed the title [Bug] [Bug] Security context for grafana containers (use fsgroup instead in PVC example) Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fabio-s-franco