FsBackup: Restricted Pod Security and read only root FS

# FsBackup: Restricted Pod Security and read only root FS Fixed to address: https://issues.redhat.com/browse/OADP-5105 ## Node agent pods There is one flag `disableFsBackup` that allows to turn on and off FsBackup, that affects the `node-agent` deployment: ```yaml= configuration: nodeAgent: enable: true uploaderType: kopia velero: disableFsBackup: false # set to true to disable Fs Backup ``` ### Enabled FsBackup With the Fs Backup, the `node-agent` pod operates with more permissive settings and has additional volumes mounted. To check the settings, get the pod name, in our example it's `node-agent-2qgjm`: ```shell= $ oc get pods -n openshift-adp NAME READY STATUS RESTARTS AGE node-agent-2qgjm 1/1 Running 0 23s ``` * First check is to ensure annotations are correctly representing `SCC` and `seccomp` and the user in the container is `0` ```shell= $ oc get pod node-agent-2qgjm -n openshift-adp -o json | jq '.metadata.annotations' { "openshift.io/scc": "privileged", "seccomp.security.alpha.kubernetes.io/pod": "unconfined" } $ oc get pod node-agent-2qgjm -n openshift-adp -o json | jq '.spec.securityContext' { "runAsNonRoot": false, "runAsUser": 0, "seccompProfile": { "type": "Unconfined" } } ``` * Second check is to discover volumes mounted, the list should be similar to the one below, with **host-pods**, **host-plugins** and **home-velero** and **tmp** mounted without **readOnly** flag ```shell= $ oc get pod node-agent-2qgjm -n openshift-adp -o json | jq -r '.spec.containers[].volumeMounts[]' { "mountPath": "/host_pods", "mountPropagation": "HostToContainer", "name": "host-pods" } { "mountPath": "/var/data/kubelet/plugins", "mountPropagation": "HostToContainer", "name": "host-plugins" } { "mountPath": "/scratch", "name": "scratch" } { "mountPath": "/etc/ssl/certs", "name": "certs" } { "mountPath": "/var/run/secrets/openshift/serviceaccount", "name": "bound-sa-token", "readOnly": true } { "mountPath": "/tmp/credentials", "name": "credentials" } { "mountPath": "/home/velero", "name": "home-velero" } { "mountPath": "/tmp", "name": "tmp" } { "mountPath": "/credentials", "name": "cloud-credentials" } { "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", "name": "kube-api-access-vx7j5", "readOnly": true } ``` * Third check is to rsh to the running container and ensure the settings are applied: ```shell= $ oc rsh -n openshift-adp node-agent-2qgjm sh-5.1# touch /readonly touch: cannot touch '/readonly': Read-only file system sh-5.1# whoami root sh-5.1# df -h | grep -v tmp # /host_pods should be mounted Filesystem Size Used Avail Use% Mounted on overlay 98G 19G 74G 21% / shm 64M 0 64M 0% /dev/shm /dev/vda2 98G 19G 74G 21% /host_pods ``` * Once the above settings are confirmed the test should consists of backup/restore operations using FSBackup. It should work as expected. ### Disabled FsBackup With disabled Fs Backup, the `node-agent` pod operates with more restrictive settings and less volumes mounted. To check the settings, get the pod name, in our example it's `node-agent-2qgjm`: ```shell= $ oc get pods -n openshift-adp NAME READY STATUS RESTARTS AGE node-agent-j7csd 1/1 Running 0 15s ``` * First check is to ensure annotations are correctly representing `SCC` and `seccomp` and the user in the container is not specified. The fsGroup represents the UID of the user. The `runAsNonRoot` is set to `true`. ```shell= $ oc get pod node-agent-j7csd -n openshift-adp -o json | jq '.metadata.annotations' { "openshift.io/scc": "restricted-v2", "seccomp.security.alpha.kubernetes.io/pod": "runtime/default" } $ oc get pod node-agent-j7csd -n openshift-adp -o json | jq '.spec.securityContext' { "fsGroup": 1000650000, "runAsNonRoot": true, "seLinuxOptions": { "level": "s0:c26,c0" }, "seccompProfile": { "type": "RuntimeDefault" } } ``` * Second check is to discover volumes mounted, the list should be similar to the one below, with **home-velero** and **tmp** mounted without **readOnly** flag. Without **host-pods** and **host-plugins**. ```shell= $ oc get pod node-agent-j7csd -n openshift-adp -o json | jq -r '.spec.containers[].volumeMounts[]' { "mountPath": "/scratch", "name": "scratch" } { "mountPath": "/etc/ssl/certs", "name": "certs" } { "mountPath": "/var/run/secrets/openshift/serviceaccount", "name": "bound-sa-token", "readOnly": true } { "mountPath": "/tmp/credentials", "name": "credentials" } { "mountPath": "/home/velero", "name": "home-velero" } { "mountPath": "/tmp", "name": "tmp" } { "mountPath": "/credentials", "name": "cloud-credentials" } { "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", "name": "kube-api-access-gxvxt", "readOnly": true } ``` * Third check is to rsh to the running container and ensure the settings are applied: ```shell= $ oc rsh -n openshift-adp node-agent-j7csd sh-5.1# touch /readonly touch: cannot touch '/readonly': Read-only file system sh-5.1# whoami 1000650000 sh-5.1# df -h | grep -v tmp # /host_pods should be NOT be mounted Filesystem Size Used Avail Use% Mounted on overlay 98G 19G 74G 21% / shm 64M 0 64M 0% /dev/shm ``` * Once the above settings are confirmed the test should consists of backup/restore operations using FsBackup. The backup and restore using FSBackup should **FAIL**.