security: run as unprivileged (kubeovn#3040)

Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>

charts/kube-ovn/templates/central-deploy.yaml

@@ -47,8 +47,12 @@ spec:
  command: 
  - /kube-ovn/start-db.sh
  securityContext:
+ runAsUser: 0
+ privileged: false
  capabilities:
- add: ["SYS_NICE"]
+ add:
+ - NET_BIND_SERVICE
+ - SYS_NICE
  env:
  - name: ENABLE_SSL
  value: "{{ .Values.networking.ENABLE_SSL }}"

charts/kube-ovn/templates/controller-deploy.yaml

@@ -116,6 +116,12 @@ spec:
  - --keep-vm-ip={{- .Values.func.ENABLE_KEEP_VM_IP }}
  - --enable-metrics={{- .Values.networking.ENABLE_METRICS }}
  - --node-local-dns-ip={{- .Values.networking.NODE_LOCAL_DNS_IP }}
+ securityContext:
+ runAsUser: 0
+ privileged: false
+ capabilities:
+ add:
+ - NET_BIND_SERVICE
  env:
  - name: ENABLE_SSL
  value: "{{ .Values.networking.ENABLE_SSL }}"

charts/kube-ovn/templates/ovncni-ds.yaml

@@ -82,7 +82,13 @@ spec:
  - --ovs-vsctl-concurrency={{ .Values.performance.OVS_VSCTL_CONCURRENCY }}
  securityContext:
  runAsUser: 0
- privileged: true
+ privileged: false
+ capabilities:
+ add:
+ - NET_ADMIN
+ - NET_BIND_SERVICE
+ - NET_RAW
+ - SYS_ADMIN
  env:
  - name: ENABLE_SSL
  value: "{{ .Values.networking.ENABLE_SSL }}"
@@ -119,7 +125,7 @@ spec:
  name: cni-conf
  - mountPath: /run/openvswitch
  name: host-run-ovs
- mountPropagation: Bidirectional
+ mountPropagation: HostToContainer
  - mountPath: /run/ovn
  name: host-run-ovn
  - mountPath: /host/var/run/dbus

charts/kube-ovn/templates/ovsovn-ds.yaml

@@ -52,7 +52,13 @@ spec:
  {{- end }}
  securityContext:
  runAsUser: 0
- privileged: true
+ privileged: false
+ capabilities:
+ add:
+ - NET_ADMIN
+ - NET_BIND_SERVICE
+ - SYS_MODULE
+ - SYS_NICE
  env:
  - name: ENABLE_SSL
  value: "{{ .Values.networking.ENABLE_SSL }}"

dist/images/install.sh

@@ -3278,8 +3278,12 @@ spec:
  command:
  - /kube-ovn/start-db.sh
  securityContext:
+ runAsUser: 0
+ privileged: false
  capabilities:
- add: ["SYS_NICE"]
+ add:
+ - NET_BIND_SERVICE
+ - SYS_NICE
  env:
  - name: ENABLE_SSL
  value: "$ENABLE_SSL"
@@ -3609,7 +3613,13 @@ spec:
  - /kube-ovn/start-ovs.sh
  securityContext:
  runAsUser: 0
- privileged: true
+ privileged: false
+ capabilities:
+ add:
+ - NET_ADMIN
+ - NET_BIND_SERVICE
+ - SYS_MODULE
+ - SYS_NICE
  env:
  - name: ENABLE_SSL
  value: "$ENABLE_SSL"
@@ -4016,6 +4026,12 @@ spec:
  - --enable-lb-svc=$ENABLE_LB_SVC
  - --keep-vm-ip=$ENABLE_KEEP_VM_IP
  - --node-local-dns-ip=$NODE_LOCAL_DNS_IP
+ securityContext:
+ runAsUser: 0
+ privileged: false
+ capabilities:
+ add:
+ - NET_BIND_SERVICE
  env:
  - name: ENABLE_SSL
  value: "$ENABLE_SSL"
@@ -4159,7 +4175,13 @@ spec:
  - --ovs-vsctl-concurrency=$OVS_VSCTL_CONCURRENCY
  securityContext:
  runAsUser: 0
- privileged: true
+ privileged: false
+ capabilities:
+ add:
+ - NET_ADMIN
+ - NET_BIND_SERVICE
+ - NET_RAW
+ - SYS_ADMIN
  env:
  - name: ENABLE_SSL
  value: "$ENABLE_SSL"
@@ -4196,15 +4218,15 @@ spec:
  name: cni-conf
  - mountPath: /run/openvswitch
  name: host-run-ovs
- mountPropagation: Bidirectional
+ mountPropagation: HostToContainer
  - mountPath: /run/ovn
  name: host-run-ovn
  - mountPath: /host/var/run/dbus
  name: host-dbus
  mountPropagation: HostToContainer
  - mountPath: /var/run/netns
  name: host-ns
- mountPropagation: Bidirectional
+ mountPropagation: HostToContainer
  - mountPath: /var/log/kube-ovn
  name: kube-ovn-log
  - mountPath: /var/log/openvswitch

pkg/daemon/ovs_linux.go

@@ -237,21 +237,6 @@ func configureContainerNic(nicName, ifName, ipAddr, gateway string, isDefaultRou
  }
  }
 
- if util.CheckProtocol(ipAddr) == kubeovnv1.ProtocolDual || util.CheckProtocol(ipAddr) == kubeovnv1.ProtocolIPv6 {
- // For docker version >=17.x the "none" network will disable ipv6 by default.
- // We have to enable ipv6 here to add v6 address and gateway.
- // See https://github.com/containernetworking/cni/issues/531
- value, err := sysctl.Sysctl("net.ipv6.conf.all.disable_ipv6")
- if err != nil {
- return fmt.Errorf("failed to get sysctl net.ipv6.conf.all.disable_ipv6: %v", err)
- }
- if value != "0" {
- if _, err = sysctl.Sysctl("net.ipv6.conf.all.disable_ipv6", "0"); err != nil {
- return fmt.Errorf("failed to enable ipv6 on all nic: %v", err)
- }
- }
- }
-
  if nicType == util.InternalType {
  if err = addAdditionalNic(ifName); err != nil {
  return err
@@ -607,21 +592,6 @@ func configureNodeGwNic(portName, ip, gw string, macAddr net.HardwareAddr, mtu i
  klog.V(3).Infof("node external nic %q already in ns %s", util.NodeGwNic, util.NodeGwNsPath)
  }
  return ns.WithNetNSPath(gwNS.Path(), func(_ ns.NetNS) error {
- if util.CheckProtocol(ip) == kubeovnv1.ProtocolDual || util.CheckProtocol(ip) == kubeovnv1.ProtocolIPv6 {
- // For docker version >=17.x the "none" network will disable ipv6 by default.
- // We have to enable ipv6 here to add v6 address and gateway.
- // See https://github.com/containernetworking/cni/issues/531
- value, err := sysctl.Sysctl("net.ipv6.conf.all.disable_ipv6")
- if err != nil {
- return fmt.Errorf("failed to get sysctl net.ipv6.conf.all.disable_ipv6: %v", err)
- }
- if value != "0" {
- if _, err = sysctl.Sysctl("net.ipv6.conf.all.disable_ipv6", "0"); err != nil {
- return fmt.Errorf("failed to enable ipv6 on all nic: %v", err)
- }
- }
- }
-
  if err = configureNic(util.NodeGwNic, ip, macAddr, mtu, true); err != nil {
  klog.Errorf("failed to congigure node gw nic %s, %v", util.NodeGwNic, err)
  return err

yamls/speaker.yaml

@@ -29,7 +29,7 @@ spec:
  hostNetwork: true
  containers:
  - name: kube-ovn-speaker
- image: "kubeovn/kube-ovn:v1.12.1"
+ image: "docker.io/kubeovn/kube-ovn:v1.12.19"
  imagePullPolicy: IfNotPresent
  command:
  - /kube-ovn/kube-ovn-speaker

yamls/webhook.yaml

@@ -33,7 +33,7 @@ spec:
  hostNetwork: true
  containers:
  - name: kube-ovn-webhook
- image: "kubeovn/kube-ovn:v1.12.1"
+ image: "docker.io/kubeovn/kube-ovn:v1.12.19"
  imagePullPolicy: IfNotPresent
  command:
  - /kube-ovn/kube-ovn-webhook