Skip to content

docs: Kubernetes requies allowPrivilegeEscalation: true #3619

Closed
#3625
Closed
docs: Kubernetes requies allowPrivilegeEscalation: true#3619
#3625
Assignees
georglauterbach
Labels
area/documentationkind/bug/reportA report about a bugorchestrator/kubernetesservice/postfix
@innotecsol

Description

@innotecsol
innotecsol
opened on Nov 4, 2023

📝 Preliminary Checks

  • I tried searching for an existing issue and followed the debugging docs advice, but still need assistance.

👀 What Happened?

I have setup DMS within kubernetes cluster utilizing sieve. I got the following error:

Nov  4 13:24:37 mailserver-0 dovecot: lmtp: Error: postdrop: warning: mail_queue_enter: create file maildrop/281592.964: Permission denied
Nov  4 13:24:37 mailserver-0 postfix/postdrop[964]: warning: mail_queue_enter: create file maildrop/281592.964: Permission denied

The following finding:

  • The postdrop was running with the docker user, thus checking setgid on postdrop, which was correctly set as well as directory permissions are correct.
  • Had the kubernetes yaml setup as described in the DMS k8s docs page.

According to kubernetes documentation:

Privilege Escalation (v1.8+)
Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed. This is Linux only policy in v1.25+ (spec.os.name != windows)

After changing to allowPrivilegeEscalation: true it works. Maybe you can adjust the configuration accordingly?

Best Regards

👟 Reproduction Steps

No response

🐋 DMS Version

v12.1.0

💻 Operating System and Architecture

talos linux 1.4.1

⚙️ Container configuration files

containers:
        - name: mailserver
          image: ghcr.io/docker-mailserver/docker-mailserver:latest
          imagePullPolicy: "IfNotPresent"
          securityContext:
            allowPrivilegeEscalation: true
            readOnlyRootFilesystem: false
            runAsUser: 0
            runAsGroup: 0
            runAsNonRoot: false
            privileged: false
            capabilities:
              add:
                # file permission capabilities
                - CHOWN
                - FOWNER
                - MKNOD
                - SETGID
                - SETUID
                - DAC_OVERRIDE
                # network capabilities
                # - NET_ADMIN  # needed for F2B
                # - NET_RAW    # needed for F2B
                - NET_BIND_SERVICE
                # miscellaneous  capabilities
                - SYS_CHROOT
                - KILL
              drop: [ALL]
            seccompProfile:
              type: RuntimeDefault
          ports:
            - name: transfer
              containerPort: 25
              protocol: TCP
            - name: esmtp-implicit
              containerPort: 465
              protocol: TCP
            - name: esmtp-explicit
              containerPort: 587
            - name: imap-implicit
              containerPort: 993
              protocol: TCP
            - name: repl-implicit
              containerPort: 9091
              protocol: TCP
          envFrom:
            - configMapRef:
                name: mailserver-conf
          volumeMounts:
            - name: dovecot-run
              mountPath: /var/run/dovecot
            - name: script-files
              subPath: user-patches.sh
              mountPath: /tmp/docker-mailserver/user-patches.sh
            - name: config-files
              subPath: postfix-sasl-password.cf
              mountPath: /tmp/docker-mailserver/postfix-sasl-password.cf
              readOnly: true
            - name: config-files
              subPath: postfix-relaymap.cf
              mountPath: /tmp/docker-mailserver/postfix-relaymap.cf
              readOnly: true
            - name: config-files
              subPath: postfix-main.cf
              mountPath: /tmp/docker-mailserver/postfix-main.cf
              readOnly: true
            - name: config-files
              subPath: sender_canonical.cf
              mountPath: /tmp/docker-mailserver/sender_canonical.cf
              readOnly: true
            - name: config-files
              subPath: fetchmail.cf
              mountPath: /tmp/docker-mailserver/fetchmail.cf
              readOnly: true
            - name: config-files
              subPath: dovecot.cf
              mountPath: /tmp/docker-mailserver/dovecot.cf
              readOnly: true
            - name: config-files
              subPath: before.dovecot.sieve
              mountPath: /tmp/docker-mailserver/before.dovecot.sieve
              readOnly: true
            - name: config-files
              subPath: sa-learn
              mountPath: /etc/cron.d/sa-learn
              readOnly: true
#            - name: config-files
#              subPath: fts-xapian-plugin.conf
#              mountPath: /etc/dovecot/conf.d/10-plugin.conf
#              readOnly: true
            - name: config-files
              subPath: 10-replication.conf
              mountPath: /etc/dovecot/conf.d/10-replication.conf
              readOnly: false
#            - name: config-files
#              subPath: 10-mail.conf - overwriting does not work - getting sed: cannot rename /etc/dovecot/conf.d/sedc3XhGc: Device or resource busy error - putting it in dovecot.cf config
#              mountPath: /etc/dovecot/conf.d/10-mail.conf
#              readOnly: false
            - name: config-files
              subPath: dovecot-index
              mountPath: /etc/cron.d/dovecot-index
              readOnly: true
            - name: maildata
              mountPath: /var/mail
              subPath: mail-data
              readOnly: false
            - name: maildata
              mountPath: /var/mail-state
              subPath: mail-state
              readOnly: false
            - name: maildata
              mountPath: /var/log/mail
              subPath: mail-log
              readOnly: false
            - name: servercert
              mountPath: /etc/ssl/mail/server.pem
              subPath: server.pem
              readOnly: true
            - name: serverkey
              mountPath: /etc/ssl/mail/key.pem
              subPath: key.pem
              readOnly: true
            - name: cacert
              mountPath: /etc/ssl/mail/server-ca.pem
              subPath: server-ca.pem
              readOnly: true

📜 Relevant log output

No response

Metadata

Metadata

Assignees

Labels

area/documentationkind/bug/reportA report about a bugorchestrator/kubernetesservice/postfix

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions