From 7d3b8b32a1d27824031f3b4e76b18d66117ecd68 Mon Sep 17 00:00:00 2001 From: Damien Duportal Date: Fri, 8 Sep 2023 13:46:24 +0200 Subject: [PATCH 1/2] fix(rsyncd) allow running as non root by specifying an internal port > 1024 Signed-off-by: Damien Duportal --- .../templates/configmap.rsyncd-conf.yaml | 2 + charts/rsyncd/templates/deployment.yaml | 6 +- charts/rsyncd/templates/service.yaml | 2 +- charts/rsyncd/tests/custom_values_test.yaml | 135 ++++++++---------- charts/rsyncd/tests/defaults_test.yaml | 13 +- charts/rsyncd/values.yaml | 5 + 6 files changed, 83 insertions(+), 80 deletions(-) diff --git a/charts/rsyncd/templates/configmap.rsyncd-conf.yaml b/charts/rsyncd/templates/configmap.rsyncd-conf.yaml index 4545fb934..20be42e31 100644 --- a/charts/rsyncd/templates/configmap.rsyncd-conf.yaml +++ b/charts/rsyncd/templates/configmap.rsyncd-conf.yaml @@ -15,6 +15,8 @@ data: write only = false motd file = {{ .Values.configuration.motd.path }} + + port = {{ .Values.port }} jenkins.motd: |- {{ .Values.configuration.motd.content | nindent 4 }} {{- range .Values.configuration.components }} diff --git a/charts/rsyncd/templates/deployment.yaml b/charts/rsyncd/templates/deployment.yaml index 52e2a670a..223ee7357 100644 --- a/charts/rsyncd/templates/deployment.yaml +++ b/charts/rsyncd/templates/deployment.yaml @@ -37,14 +37,14 @@ spec: {{- end }} ports: - name: rsyncd - containerPort: 873 + containerPort: {{ .Values.port }} protocol: TCP livenessProbe: tcpSocket: - port: 873 + port: {{ .Values.port }} readinessProbe: tcpSocket: - port: 873 + port: {{ .Values.port }} {{- with .Values.resources }} resources: {{- toYaml . | nindent 12 }} diff --git a/charts/rsyncd/templates/service.yaml b/charts/rsyncd/templates/service.yaml index ae774905e..c369da018 100644 --- a/charts/rsyncd/templates/service.yaml +++ b/charts/rsyncd/templates/service.yaml @@ -17,7 +17,7 @@ spec: {{- end }} ports: - port: {{ .Values.service.port }} - targetPort: 873 + targetPort: {{ .Values.port }} protocol: TCP name: rsyncd selector: diff --git a/charts/rsyncd/tests/custom_values_test.yaml b/charts/rsyncd/tests/custom_values_test.yaml index 8a83e4b27..9ea07cb07 100644 --- a/charts/rsyncd/tests/custom_values_test.yaml +++ b/charts/rsyncd/tests/custom_values_test.yaml @@ -1,47 +1,59 @@ suite: Tests with custom values +# Custom values used to test all suites from this file +set: + image: + pullPolicy: Always + podSecurityContext: + fsGroup: 2000 + containerSecurityContext: + runAsNonRoot: true + nodeSelector: + os: windows-2022 + affinity: + podAntiAffinity: + foo: bar + tolerations: + - key: "kubernetes.io/arch" + operator: "Equal" + value: "arm64" + effect: "NoSchedule" + resources: + limits: + cpu: 500m + requests: + memory: 1024Mi + port: 9999 + service: + port: 2873 + type: LoadBalancer + LoadBalancerIP: 1.2.3.4 + whitelisted_sources: + - 52.167.253.43/32 + - 52.202.51.185/32 + configuration: + motd: + path: /tmp/motd + content: |- + ========== + FOO BAR + SUPER MOTD + ========== + components: + - name: jenkins + path: /rsyncd/data/jenkins + comment: "Jenkins Read-Only Mirror" + volume: + persistentVolumeClaim: + claimName: super-pvc + - name: hudson + path: /tmp/hudson + comment: "Hudson Read-Only Mirror" + volume: + persistentVolumeClaim: + claimName: another-vol tests: - it: should define a customized "rsyncd" deployment template: deployment.yaml - set: - image: - pullPolicy: Always - podSecurityContext: - fsGroup: 2000 - containerSecurityContext: - runAsNonRoot: true - nodeSelector: - os: windows-2022 - affinity: - podAntiAffinity: - foo: bar - tolerations: - - key: "kubernetes.io/arch" - operator: "Equal" - value: "arm64" - effect: "NoSchedule" - resources: - limits: - cpu: 500m - requests: - memory: 1024Mi - service: - port: 2873 - configuration: - motd: - path: /tmp/motd - components: - - name: jenkins - path: /rsyncd/data/jenkins - comment: "Jenkins Read-Only Mirror" - volume: - persistentVolumeClaim: - claimName: super-pvc - - name: hudson - path: /tmp/hudson - comment: "Hudson Read-Only Mirror" - volume: - persistentVolumeClaim: - claimName: another-vol asserts: - hasDocuments: count: 1 @@ -77,10 +89,10 @@ tests: - equal: path: spec.template.spec.tolerations[0].effect value: "NoSchedule" - # Exposed port is always 873 + # Custom exposed port - equal: path: spec.template.spec.containers[0].ports[0].containerPort - value: 873 + value: 9999 # Custom container resources - equal: path: spec.template.spec.containers[0].resources.limits.cpu @@ -175,28 +187,6 @@ tests: value: true - it: should create a custom rsyncd-conf config map template: configmap.rsyncd-conf.yaml - set: - configuration: - motd: - path: /tmp/motd - content: |- - ========== - FOO BAR - SUPER MOTD - ========== - components: - - name: jenkins - path: /rsyncd/data/jenkins - comment: "Jenkins Read-Only Mirror" - volume: - persistentVolumeClaim: - claimName: super-pvc - - name: hudson - path: /tmp/hudson - comment: "Hudson Read-Only Mirror" - volume: - persistentVolumeClaim: - claimName: another-vol asserts: - hasDocuments: count: 1 @@ -223,16 +213,11 @@ tests: - matchRegex: path: data["jenkins.motd"] pattern: SUPER MOTD + - matchRegex: + path: data["rsyncd.inc"] + pattern: port = 9999 - it: should create the default service template: service.yaml - set: - service: - port: 2873 - type: LoadBalancer - LoadBalancerIP: 1.2.3.4 - whitelisted_sources: - - 52.167.253.43/32 - - 52.202.51.185/32 asserts: - hasDocuments: count: 1 @@ -251,10 +236,14 @@ tests: - equal: path: spec.loadBalancerSourceRanges[1] value: 52.202.51.185/32 - # Custom port + # Custom published port - equal: path: spec.ports[0].port value: 2873 + # Default exposed (pod) port is 1873 by default + - equal: + path: spec.ports[0].targetPort + value: 9999 # Check the expected label selectors to allow Service to catch the pods - equal: path: spec.selector["app.kubernetes.io/name"] diff --git a/charts/rsyncd/tests/defaults_test.yaml b/charts/rsyncd/tests/defaults_test.yaml index 4c9d70322..dcbda9c78 100644 --- a/charts/rsyncd/tests/defaults_test.yaml +++ b/charts/rsyncd/tests/defaults_test.yaml @@ -35,10 +35,10 @@ tests: # No tolerations by default - notExists: path: spec.template.spec.tolerations - # Default exposed port is 873 + # Default exposed port is 1873 - equal: path: spec.template.spec.containers[0].ports[0].containerPort - value: 873 + value: 1873 # No container resources by default - notExists: path: spec.template.spec.containers[0].resources @@ -90,6 +90,9 @@ tests: - matchRegex: path: data["rsyncd.inc"] pattern: motd file = /etc/rsyncd/jenkins.motd + - matchRegex: + path: data["rsyncd.inc"] + pattern: port = 1873 - notExists: path: data["jenkins.conf"] - matchRegex: @@ -113,10 +116,14 @@ tests: path: spec.loadBalancerIP - notExists: path: spec.loadBalancerSourceRanges - # Default port is 873 + # Default published port is 873 by default - equal: path: spec.ports[0].port value: 873 + # Default exposed (pod) port is 1873 by default + - equal: + path: spec.ports[0].targetPort + value: 1873 # Check the expected label selectors to allow Service to catch the pods - equal: path: spec.selector["app.kubernetes.io/name"] diff --git a/charts/rsyncd/values.yaml b/charts/rsyncd/values.yaml index 7869ae89a..ecc0e9683 100644 --- a/charts/rsyncd/values.yaml +++ b/charts/rsyncd/values.yaml @@ -17,8 +17,13 @@ containerSecurityContext: {} # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 1000 + +# (privately exposed) port of the pod. Should be > 1024 as the container should run as non root +port: 1873 + service: type: ClusterIP + # Port published by the "Service". Maps to the pod (privately exposed) port port: 873 # LoadBalancerIP: 1.2.3.4 whitelisted_sources: [] From ceae8138567be2c665582cf3294fdbca47101bb4 Mon Sep 17 00:00:00 2001 From: Damien Duportal Date: Fri, 8 Sep 2023 13:55:39 +0200 Subject: [PATCH 2/2] bump rsyncd chart version to 1.1.1 Signed-off-by: Damien Duportal --- charts/rsyncd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/rsyncd/Chart.yaml b/charts/rsyncd/Chart.yaml index a234adc36..6cd652bf7 100644 --- a/charts/rsyncd/Chart.yaml +++ b/charts/rsyncd/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v1 description: rsyncd helm chart for Kubernetes name: rsyncd -version: 1.1.0 +version: 1.1.1