Update user to execute commands in cinder related pods

The cinder-volume container needs to be able to run qemu-img commands. The current user used to execute those commands (keystone) does not have the permissions to do that. We are updating the runAsUser parameter to execute all cinder related containers as cinder user. Doing that the user of the container will have the correct permissions to perform its operations. Depends-on: https://review.opendev.org/c/starlingx/upstream/+/880772 Test plan: PASS - Build openstack-helm package PASS - Build stx-openstack-helm-fluxcd package PASS - Build stx-openstack helm charts PASS - Update/apply stx-openstack PASS - kubectl exec in the cinder-volume pod and check that the default user is now 'cinder' instead of 'keystone' PASS - Remove/delete stx-openstack Closes-Bug: 2012392 Signed-off-by: Rafael Falcao <rafael.vieirafalcao@windriver.com> Change-Id: Id4584bc11e73a8a667258e7fb7a8e6ba66c7b7e8
2023-04-17 16:42:05 -03:00 · 2023-04-17 16:42:05 -03:00 · c66f115730
commit c66f115730
parent c52231965c
3 changed files with 193 additions and 0 deletions
--- a/openstack-helm/debian/deb_folder/patches/0021-Update-user-in-cinder-related-pods.patch
+++ b/openstack-helm/debian/deb_folder/patches/0021-Update-user-in-cinder-related-pods.patch
@ -0,0 +1,96 @@
+From f749443bfafc92ac52ac0fe7462699707e2f1e55 Mon Sep 17 00:00:00 2001
+From: Rafael Falcao <rafael.vieirafalcao@windriver.com>
+Date: Tue, 18 Apr 2023 15:28:09 -0300
+Subject: [PATCH] Update user to execute commands in cinder related pods
+
+The cinder-volume container needs to be able to run qemu-img
+commands. The current user used to execute those commands
+(keystone) does not have the permissions to do that.
+We are updating the runAsUser parameter to execute all
+cinder related containers as cinder user. Doing that the
+user of the container will have the correct permissions
+to perform its operations.
+
+Signed-off-by: Rafael Falcao <rafael.vieirafalcao@windriver.com>
+Change-Id: I9bffd45208ab2992e380b2226c8e99639bc3f514
+---
+ cinder/values.yaml | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/cinder/values.yaml b/cinder/values.yaml
+index 249b4937..a3873676 100644
+--- a/cinder/values.yaml
+++ b/cinder/values.yaml
+@@ -79,14 +79,14 @@ pod:
+   security_context:
+     volume_usage_audit:
+       pod:
+-        runAsUser: 42424
+        runAsUser: 42425
+       container:
+         cinder_volume_usage_audit:
+           readOnlyRootFilesystem: true
+           allowPrivilegeEscalation: false
+     cinder_api:
+       pod:
+-        runAsUser: 42424
+        runAsUser: 42425
+       container:
+         ceph_coordination_volume_perms:
+           runAsUser: 0
+@@ -96,7 +96,7 @@ pod:
+           allowPrivilegeEscalation: false
+     cinder_backup:
+       pod:
+-        runAsUser: 42424
+        runAsUser: 42425
+       container:
+         ceph_backup_keyring_placement:
+           runAsUser: 0
+@@ -118,7 +118,7 @@ pod:
+           runAsUser: 0
+     cinder_scheduler:
+       pod:
+-        runAsUser: 42424
+        runAsUser: 42425
+       container:
+         ceph_coordination_volume_perms:
+           runAsUser: 0
+@@ -128,7 +128,7 @@ pod:
+           allowPrivilegeEscalation: false
+     cinder_volume:
+       pod:
+-        runAsUser: 42424
+        runAsUser: 42425
+       container:
+         ceph_keyring_placement:
+           runAsUser: 0
+@@ -143,7 +143,7 @@ pod:
+           readOnlyRootFilesystem: true
+     storage_init:
+       pod:
+-        runAsUser: 42424
+        runAsUser: 42425
+       container:
+         ceph_keyring_placement:
+           runAsUser: 0
+@@ -153,14 +153,14 @@ pod:
+           allowPrivilegeEscalation: false
+     clean:
+       pod:
+-        runAsUser: 42424
+        runAsUser: 42425
+       container:
+         cinder_volume_rbd_secret_clean:
+           readOnlyRootFilesystem: true
+           allowPrivilegeEscalation: false
+     create_internal_tenant:
+       pod:
+-        runAsUser: 42424
+        runAsUser: 42425
+       container:
+         create_internal_tenant:
+           readOnlyRootFilesystem: true
+-- 
+2.25.1
+
--- a/openstack-helm/debian/deb_folder/patches/series
+++ b/openstack-helm/debian/deb_folder/patches/series
@ -17,3 +17,4 @@
 0018-Fixing-placement-helm-release-hooks.patch
 0019-Fixing-nova-helm-release-hooks-and-weights.patch
 0020-Fixing-keystone-helm-release-hooks-and-weights.patch
+0021-Update-user-in-cinder-related-pods.patch
--- a/openstack-helm/files/0021-Update-user-in-cinder-related-pods.patch
+++ b/openstack-helm/files/0021-Update-user-in-cinder-related-pods.patch
@ -0,0 +1,96 @@
+From f749443bfafc92ac52ac0fe7462699707e2f1e55 Mon Sep 17 00:00:00 2001
+From: Rafael Falcao <rafael.vieirafalcao@windriver.com>
+Date: Tue, 18 Apr 2023 15:28:09 -0300
+Subject: [PATCH] Update user to execute commands in cinder related pods
+
+The cinder-volume container needs to be able to run qemu-img
+commands. The current user used to execute those commands
+(keystone) does not have the permissions to do that.
+We are updating the runAsUser parameter to execute all
+cinder related containers as cinder user. Doing that the
+user of the container will have the correct permissions
+to perform its operations.
+
+Signed-off-by: Rafael Falcao <rafael.vieirafalcao@windriver.com>
+Change-Id: I9bffd45208ab2992e380b2226c8e99639bc3f514
+---
+ cinder/values.yaml | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/cinder/values.yaml b/cinder/values.yaml
+index 249b4937..a3873676 100644
+--- a/cinder/values.yaml
+++ b/cinder/values.yaml
+@@ -79,14 +79,14 @@ pod:
+   security_context:
+     volume_usage_audit:
+       pod:
+-        runAsUser: 42424
+        runAsUser: 42425
+       container:
+         cinder_volume_usage_audit:
+           readOnlyRootFilesystem: true
+           allowPrivilegeEscalation: false
+     cinder_api:
+       pod:
+-        runAsUser: 42424
+        runAsUser: 42425
+       container:
+         ceph_coordination_volume_perms:
+           runAsUser: 0
+@@ -96,7 +96,7 @@ pod:
+           allowPrivilegeEscalation: false
+     cinder_backup:
+       pod:
+-        runAsUser: 42424
+        runAsUser: 42425
+       container:
+         ceph_backup_keyring_placement:
+           runAsUser: 0
+@@ -118,7 +118,7 @@ pod:
+           runAsUser: 0
+     cinder_scheduler:
+       pod:
+-        runAsUser: 42424
+        runAsUser: 42425
+       container:
+         ceph_coordination_volume_perms:
+           runAsUser: 0
+@@ -128,7 +128,7 @@ pod:
+           allowPrivilegeEscalation: false
+     cinder_volume:
+       pod:
+-        runAsUser: 42424
+        runAsUser: 42425
+       container:
+         ceph_keyring_placement:
+           runAsUser: 0
+@@ -143,7 +143,7 @@ pod:
+           readOnlyRootFilesystem: true
+     storage_init:
+       pod:
+-        runAsUser: 42424
+        runAsUser: 42425
+       container:
+         ceph_keyring_placement:
+           runAsUser: 0
+@@ -153,14 +153,14 @@ pod:
+           allowPrivilegeEscalation: false
+     clean:
+       pod:
+-        runAsUser: 42424
+        runAsUser: 42425
+       container:
+         cinder_volume_rbd_secret_clean:
+           readOnlyRootFilesystem: true
+           allowPrivilegeEscalation: false
+     create_internal_tenant:
+       pod:
+-        runAsUser: 42424
+        runAsUser: 42425
+       container:
+         create_internal_tenant:
+           readOnlyRootFilesystem: true
+-- 
+2.25.1
+