Security Hardening: run DataNode fully non-root#109
Open
monrax wants to merge 1 commit into
Open
Conversation
Now that the data-chown init container is gone and the entrypoint can take a non-root startup path (graylog-docker #306), lock the datanode down to the same posture as the Graylog app: - podSecurityContext: runAsUser/runAsGroup 999 + runAsNonRoot - containerSecurityContext: drop ALL capabilities (no more CHOWN, DAC_OVERRIDE, FOWNER, SETUID, SETGID) and runAsNonRoot - set GDN_RUN_AS_NONROOT=true so the entrypoint skips its root-only chown/setpriv path and relies on fsGroup for volume ownership Requires a datanode image whose entrypoint supports GDN_RUN_AS_NONROOT (graylog-datanode 7.1+); older images must still run as root. Updates the datanode unit tests and the README "Hardened Environments" section accordingly. Co-Authored-By: Claude Opus 4.8 (1M context) <[EMAIL_ADDRESS_REDACTED]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Important
Depends on Graylog2/graylog-docker#306 being merged. It adds support for optionally running the datanode container as non-root. Once merged, this requires a DataNode image whose entrypoint supports
GDN_RUN_AS_NONROOT. On older images the container must still start as root and overridedatanode.podSecurityContext/datanode.containerSecurityContextaccordingly.Do not merge until graylog-docker #306 has landed in a released image, and confirm the
7.1version reference (in the README and commit) matches the actual release.Summary
Locks the DataNode down to the same
restrictedposture as the Graylog application: fully non-root, all capabilities dropped. This builds on the security hardening merged in #100.Details
datanode.podSecurityContext``: addsrunAsUser: 999,runAsGroup: 999,runAsNonRoot: true(keepsfsGroup: 999+OnRootMismatch+seccompProfile`).datanode.containerSecurityContext: drops the entire capabilityaddlist (CHOWN,DAC_OVERRIDE,FOWNER,SETUID,SETGID) so it's nowdrop: [ALL]only, plusrunAsNonRoot: true.GDN_RUN_AS_NONROOT=true so the entrypoint skips its root-onlychown/setprivpath and relies onfsGroupfor volume ownership.PR Checklist
Please check the items that apply to your change.
Testing Checklist
Static Validation
helm lint ./charts/grayloghelm template graylog ./charts/graylog --validatehelm unittest ./charts/graylogInstallation
helm install graylog ./charts/graylogkubectl rollout status statefulset/grayloghelm test graylogFunctional (if applicable)
Upgrade (if applicable)
Specific to this PR
securityContextsecurityContext(addCHOWN,DAC_OVERRIDE,FOWNER,SETUID,SETGIDcapabilities, allow running as root)Notes for reviewers