Spring Cloud Data Flow - Unable to set securityContext/allowPrivilegeEscalation while deploying a stream

152 views Asked by At

Creating a simple TEST Stream in Spring Cloud Data Flow (2.9.4)

> stream create --name "words" --definition "http --server.port=9001 | splitter --expression=payload.split(' ') | log"

> stream deploy --name "words" --propertiesFile words-stream.properties
> cat words-stream.properties
app.http.server.port=9001
app.splitter.expression=payload.split(' ')
app.splitter.producer.partitionKeyExpression=payload
deployer.log.count=3

deployer.http.kubernetes.deployment-labels=applicationid:123456
deployer.log.kubernetes.deployment-labels=applicationid:123456
deployer.splitter.kubernetes.deployment-labels=applicationid:123456

deployer.http.kubernetes.podSecurityContext={allowPrivilegeEscalation: false}
deployer.log.kubernetes.podSecurityContext={allowPrivilegeEscalation: false}
deployer.splitter.kubernetes.podSecurityContext={allowPrivilegeEscalation: false}

Get the following error on deploy

org.springframework.cloud.skipper.SkipperException: Could not install AppDeployRequest [[AppDeploymentRequest@2e8d33f commandlineArguments = list[[empty]], deploymentProperties = map['spring.cloud.deployer.appName' -> 'log', 'spring.cloud.deployer.count' -> '3', 'spring.cloud.deployer.group' -> 'words', 'spring.cloud.deployer.indexed' -> 'true', 'spring.cloud.deployer.kubernetes.deployment-labels' -> 'applicationid:123456', 'spring.cloud.deployer.kubernetes.podSecurityContext' -> '{allowPrivilegeEscalation: false}'], definition = [AppDefinition@62fe74f5 name = 'log-v5', properties = map['management.metrics.tags.application.type' -> '${spring.cloud.dataflow.stream.app.type:unknown}', 'spring.cloud.dataflow.stream.app.label' -> 'log', 'management.metrics.tags.stream.name' -> '${spring.cloud.dataflow.stream.name:unknown}', 'management.metrics.tags.application' -> '${spring.cloud.dataflow.stream.name:unknown}-${spring.cloud.dataflow.stream.app.label:unknown}-${spring.cloud.dataflow.stream.app.type:unknown}', 'spring.cloud.dataflow.stream.name' -> 'words', 'management.metrics.tags.instance.index' -> '${vcap.application.instance_index:${spring.cloud.stream.instanceIndex:0}}', 'spring.cloud.stream.bindings.input.consumer.partitioned' -> 'true', 'wavefront.application.service' -> '${spring.cloud.dataflow.stream.app.label:unknown}-${spring.cloud.dataflow.stream.app.type:unknown}-${vcap.application.instance_index:${spring.cloud.stream.instanceIndex:0}}', 'spring.cloud.stream.instanceCount' -> '3', 'spring.cloud.stream.bindings.input.group' -> 'words', 'management.metrics.tags.application.guid' -> '${spring.cloud.application.guid:unknown}', 'management.metrics.tags.application.name' -> '${vcap.application.application_name:${spring.cloud.dataflow.stream.app.label:unknown}}', 'spring.cloud.dataflow.stream.app.type' -> 'sink', 'spring.cloud.stream.bindings.input.destination' -> 'words.splitter', 'wavefront.application.name' -> '${spring.cloud.dataflow.stream.name:unknown}']], resource = Docker Resource [docker:xxx.yyy.com/springcloudstream/log-sink-kafka:3.2.0]]]  to platform [default].  Error Message = [Invalid binding property '{allowPrivilegeEscalation: false}']
        at org.springframework.cloud.skipper.server.deployer.DefaultReleaseManager.install(DefaultReleaseManager.java:152) ~[spring-cloud-skipper-server-core-2.8.4.jar:2.8.4]
        at org.springframework.cloud.skipper.server.service.ReleaseService.install(ReleaseService.java:198) ~[spring-cloud-skipper-server-core-2.8.4.jar:2.8.4]
        at org.springframework.cloud.skipper.server.service.ReleaseService.install(ReleaseService.java:184) ~[spring-cloud-skipper-server-core-2.8.4.jar:2.8.4]
        at org.springframework.cloud.skipper.server.service.ReleaseService.install(ReleaseService.java:145) ~[spring-cloud-skipper-server-core-2.8.4.jar:2.8.4]
        at org.springframework.cloud.skipper.server.service.ReleaseService$$FastClassBySpringCGLIB$$f1c5f0a2.invoke(<generated>) ~[spring-cloud-skipper-server-core-2.8.4.jar:2.8.4]

Unable to create/deploy new stream/task pods that will use securityContext/allowPrivilegedEscalation as false.

Looking forward some guidelines on getting this securityContext created for the deployed objects.

Update 11/21/2022:

spring cloud data flow team - I was wondering if some one could look into the question and advice.

The reason I need the container Security Context is our company has made securityContext/allowPrivilegeEscalation should be set to false on all containers in a pod.

Need a way to pass and set this property to be compliant

Error Message: [psp-allow-privilege-escalation-container] OPA-GATEKEEPER CONSTRAINT: Container index-provider is attempting to run without a required securityContext/allowPrivilegeEscalation, Allowed = false.]

Please note I have tried with

deployer.http.kubernetes.containerSecurityContext={allowPrivilegeEscalation: false}

the deployment does recognize this property at all.

Update: 11/29/2022

Please note I removed the Policy agent and checked the deployment yaml of the pod. The "log" component of the stream has the issue on the initContainer. The "log" component of the stream there is an initContainers where busybox is started and few entries are added to /config/application.properties. The policy checks the securityContext/allowPrivilegeEscalation in the initContainers also.

Please can you confirm if this is a bug or is there way to overcome with configuration also.

1

There are 1 answers

0
onobc On

The container security context is only currently applied to the main container. It will be added to the init container to address spring-cloud-deployer-kubernetes/issues/512.