So, I have managed to get z2jh working with a local GitLab using a permissive PSP and a custom JupyterHub image that runs as root.
Here is the environment I used to get it working:
PSP used:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: jupyterhub
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
# Required to prevent escalations to root.
# allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
allowedCapabilities:
- NET_ADMIN
# - SETGID
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'RunAsAny'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
ClusterRoleBindings
I followed this up with a ClusterRoleBinding, as a normal RoleBinding restricting it to the jupyter ns did not work.
I also had to allow the hub image to run as the root user. This was necessary cause I could not find a work around to not allowing the c.LocalAuthenticator.create_system_users: True
Failures
Any attempts on reducing these permission or privileges causes the singleuser nb to fail.
As of now, the entire setup does not seem very secure. Here are the two questions I have:
Can you let us know what youâve tried from that issue, and what did or didnât work? If you could show us your Z2JH config that would also be helpful.
So, I gave it another shot and after carefully reading through and understanding the various components, I got it to work (mostly) without any issues.
Since it is a local installation, I enabled network policy and the cloudMetadata option. This removed the init container for singleuser images as mentioned on the GitHub issue.
I disabled the hooks as I have set the imagePullPolicy to Always, as it makes sense to do this at a cluster level to ensure patched images are used. The hooks seem redundant in this scenario, correct?
Also, I disabled the LocalGitLabOAuthenticatior after reading about it and enabled the GitLabOAuthenticator, this removed the need for running Hub as a root user as the users are no longer added to the local system.
What did not work out-of-the-box was the user-placeholder pod. Since the image used is the gcr.io/google_containers/pause:3.1 image, it runs as root by default. Adding a SecurityContext block to run the image as a non-root user did the trick. Can that be added in the conf file here? I donât think anyone would need to override this value, so this could be hardcoded? You could also change the image to a custom image, but I think it would make sense to just add this as a default value to avoid a few hassles.
Here is the final z2js config that worked with the restricted psp:
That makes sense, I canât think of any reason the pause container has to run as root. Please feel free to open a PR!
Yes, I think that would be helpful. Please open it as a separate PR and cross-reference this thread as there may be some discussions about it whereas the pause PR should be straightforward. Thanks for contributing!
