Run linkerd-gateway as non-root (#4543)

Container-optimized OS on GKE runs with a set of read/write rules that prevent the linkerd-gateway from starting up. These changes move the directories that nginx needs to write to /tmp and configures the error_log to write to stderr Signed-off-by: Charles Pretzer charles@buoyant.io
2020-06-05 13:14:36 -07:00 · 2020-06-05 13:14:36 -07:00 · b36544980d
parent f01bcfe722
commit b36544980d
1 changed files with 19 additions and 6 deletions
--- a/charts/linkerd2-multicluster/templates/gateway.yaml
+++ b/charts/linkerd2-multicluster/templates/gateway.yaml
@ -9,6 +9,8 @@ metadata:
  namespace: {{.Values.namespace}}
 data:
  nginx.conf: |-
+    error_log stderr;
+    pid /tmp/nginx.pid;
    events {
    }
    stream {
@ -18,12 +20,21 @@ data:
       }
    }
    http {
+      client_body_temp_path /tmp/client_temp;
+      proxy_temp_path       /tmp/proxy_temp_path;
+      fastcgi_temp_path     /tmp/fastcgi_temp;
+      uwsgi_temp_path       /tmp/uwsgi_temp;
+      scgi_temp_path        /tmp/scgi_temp;
      server {
          listen     {{.Values.gatewayProbePort}};
-          location {{.Values.gatewayProbePath}} {
+          location = {{.Values.gatewayProbePath}} {
            access_log off;
            return 200 "healthy\n";
          }
+
+          location ~* ^/(.*)$ {
+            deny all;
+          }
      }
      server {
          listen     {{.Values.gatewayLocalProbePort}};
@ -54,7 +65,7 @@ spec:
  template:
    metadata:
      annotations:
-        {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}}        
+        {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}}
        linkerd.io/inject: enabled
        config.linkerd.io/proxy-require-identity-inbound-ports: "{{.Values.gatewayProbePort}},{{.Values.gatewayPort}},4180"
        config.linkerd.io/enable-gateway: "true"
@ -84,7 +95,9 @@ spec:
            - name: mc-probe
              containerPort: {{.Values.gatewayProbePort}}
            - name: local-probe
-              containerPort: {{.Values.gatewayLocalProbePort}}              
+              containerPort: {{.Values.gatewayLocalProbePort}}
+          securityContext:
+            runAsUser: 1001
          volumeMounts:
            - name: config
              mountPath: /etc/nginx
@ -95,7 +108,7 @@ kind: Service
 metadata:
  name: {{.Values.gatewayName}}
  namespace: {{.Values.namespace}}
-  annotations: 
+  annotations:
    mirror.linkerd.io/gateway-identity: {{.Values.gatewayName}}.{{.Values.namespace}}.serviceaccount.identity.{{.Values.linkerdNamespace}}.{{.Values.identityTrustDomain}}
    mirror.linkerd.io/probe-period: "{{.Values.gatewayProbeSeconds}}"
    mirror.linkerd.io/probe-path: {{.Values.gatewayProbePath}}
@ -104,10 +117,10 @@ metadata:
 spec:
  ports:
  - name: mc-gateway
-    port: {{.Values.gatewayPort}}    
+    port: {{.Values.gatewayPort}}
    protocol: TCP
  - name: mc-probe
-    port: {{.Values.gatewayProbePort}}    
+    port: {{.Values.gatewayProbePort}}
    protocol: TCP
  selector:
    app: {{.Values.gatewayName}}