Skip to content

Commit

Permalink
k8s: allow to configure logs permissions on k8s deployments
Browse files Browse the repository at this point in the history
Add the TETRAGON_LOGS_PERM environment variable so we can configure
the export logs permissions.

It has some sanity checks to ensure that tetragon can read/write the
logs.

Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
  • Loading branch information
tixxdz committed Oct 10, 2023
1 parent 07ff3b7 commit 03ab16d
Show file tree
Hide file tree
Showing 6 changed files with 65 additions and 2 deletions.
15 changes: 13 additions & 2 deletions cmd/tetragon/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import (
"github.com/cilium/tetragon/pkg/defaults"
"github.com/cilium/tetragon/pkg/encoder"
"github.com/cilium/tetragon/pkg/exporter"
"github.com/cilium/tetragon/pkg/fileutils"
"github.com/cilium/tetragon/pkg/filters"
tetragonGrpc "github.com/cilium/tetragon/pkg/grpc"
"github.com/cilium/tetragon/pkg/logger"
Expand Down Expand Up @@ -531,10 +532,20 @@ func startExporter(ctx context.Context, server *server.Server) error {

// For non k8s deployments we explicitly want log files
// with permission 0600
perms := os.FileMode(0600)
mode, _ := cgroups.DetectDeploymentMode()
if mode != cgroups.DEPLOY_K8S {
writer.FileMode = os.FileMode(0600)
if mode == cgroups.DEPLOY_K8S {
p := os.Getenv(defaults.ENV_TG_LOGS_PERM)
if p != "" {
/* File must be readable/writable by owner and not writable by others */
perms, err = fileutils.RegularFilePerms(p, os.FileMode(0600), os.FileMode(0002))
if err != nil {
log.WithError(err).Warnf("Failed to parse permission of '%s', failing back to %v",
option.Config.ExportFilename, os.FileMode(perms))
}
}
}
writer.FileMode = perms

finfo, err := os.Stat(filepath.Clean(option.Config.ExportFilename))
if err == nil && finfo.IsDir() {
Expand Down
2 changes: 2 additions & 0 deletions docs/content/en/docs/reference/helm-chart.md
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,8 @@ To use [the values available](#values), with `helm install` or `helm upgrade`, u
| tetragon.extraArgs | object | `{}` | |
| tetragon.extraEnv[0].name | string | `"TETRAGON_DEPLOYMENT_MODE"` | |
| tetragon.extraEnv[0].value | string | `"k8s"` | |
| tetragon.extraEnv[1].name | string | `"TETRAGON_LOGS_PERM"` | |
| tetragon.extraEnv[1].value | string | `"0660"` | |
| tetragon.extraVolumeMounts | list | `[]` | |
| tetragon.fieldFilters | string | `"{}"` | |
| tetragon.gops.address | string | `"localhost"` | The address at which to expose gops. |
Expand Down
2 changes: 2 additions & 0 deletions install/kubernetes/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,8 @@ Helm chart for Tetragon
| tetragon.extraArgs | object | `{}` | |
| tetragon.extraEnv[0].name | string | `"TETRAGON_DEPLOYMENT_MODE"` | |
| tetragon.extraEnv[0].value | string | `"k8s"` | |
| tetragon.extraEnv[1].name | string | `"TETRAGON_LOGS_PERM"` | |
| tetragon.extraEnv[1].value | string | `"0660"` | |
| tetragon.extraVolumeMounts | list | `[]` | |
| tetragon.fieldFilters | string | `"{}"` | |
| tetragon.gops.address | string | `"localhost"` | The address at which to expose gops. |
Expand Down
3 changes: 3 additions & 0 deletions install/kubernetes/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,9 @@ tetragon:
# detect the environment where Tetragon is running.
- name: TETRAGON_DEPLOYMENT_MODE
value: k8s
# Tetragon export logs file permissions as a string, default readable/writable by owner only.
- name: TETRAGON_LOGS_PERM
value: "0660"
extraVolumeMounts: []
securityContext:
privileged: true
Expand Down
3 changes: 3 additions & 0 deletions pkg/defaults/defaults.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,9 @@ const (

// Special environment variable to help tetragon guess the deployment mode
ENV_TG_DEPLOY_MODE = "TETRAGON_DEPLOYMENT_MODE"

// Special environment variable to restrict permission of tetragon logs in K8S deployment mode
ENV_TG_LOGS_PERM = "TETRAGON_LOGS_PERM"
)

var (
Expand Down
42 changes: 42 additions & 0 deletions pkg/fileutils/fileutils.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Tetragon
package fileutils

import (
"fmt"
"os"
"strconv"
)

// RegularFilePerms() takes an octal string representation and returns
// a FileMode permission and after applying a mask on it and nil if no
// errors.
//
// If the string can not be parsed into a 32 bit unsigned octal, or if
// the passed string is not for a regular file then an error is returned,
// and the default secure file mode always returned.
//
// The default secure mode is 0600
func RegularFilePerms(s string, requiredMask os.FileMode, avoidMask os.FileMode) (os.FileMode, error) {
secure := os.FileMode(0100600)
if s == "" {
return secure, fmt.Errorf("failed passed permissions are empty")
}

n, err := strconv.ParseUint(s, 8, 32)
if err != nil {
return secure, err
}

mode := os.FileMode(n)
if mode.IsRegular() == false {
return secure, nil
}

if avoidMask != 0 {
mode &= ^avoidMask
}

mode |= requiredMask
return mode, nil
}

0 comments on commit 03ab16d

Please sign in to comment.