feat(K8S): Support Restricted Constraints

Dockerfile

@@ -21,3 +21,5 @@ HEALTHCHECK CMD chronyc -n tracking || exit 1
 
 # start chronyd in the foreground
 ENTRYPOINT [ "/bin/sh", "/opt/startup.sh" ]
+
+USER 1001

assets/startup.sh

@@ -4,15 +4,17 @@ DEFAULT_NTP="time.cloudflare.com"
 CHRONY_CONF_FILE="/etc/chrony/chrony.conf"
 
 # confirm correct permissions on chrony run directory
-if [ -d /run/chrony ]; then
-  chown -R chrony:chrony /run/chrony
-  chmod o-rx /run/chrony
+if [ -d /run/chrony ] ; then
+  if [ "${SKIP_CHOWN:-false}" = false ] ; then
+    chown -R chrony:chrony /run/chrony
+    chmod o-rx /run/chrony
+  fi
   # remove previous pid file if it exist
   rm -f /var/run/chrony/chronyd.pid
 fi
 
-# confirm correct permissions on chrony variable state directory
-if [ -d /var/lib/chrony ]; then
+# # confirm correct permissions on chrony variable state directory
+if [ -d /var/lib/chrony ] &&  [ "${SKIP_CHOWN:-false}" = false ] ; then
   chown -R chrony:chrony /var/lib/chrony
 fi
 
@@ -70,6 +72,12 @@ done
   echo
   echo "driftfile /var/lib/chrony/chrony.drift"
   echo "makestep 0.1 3"
+  if [ "${PORT:-123}" != 123 ]; then
+    echo "port ${PORT}"
+  fi
+    if [ "${CMDPORT:-323}" != 323 ]; then
+    echo "cmdport ${CMDPORT}"
+  fi
   if [ "${NOCLIENTLOG:-false}" = true ]; then
     echo "noclientlog"
   fi
@@ -78,4 +86,8 @@ done
 } >> ${CHRONY_CONF_FILE}
 
 ## startup chronyd in the foreground
-exec /usr/sbin/chronyd -u chrony -d -x -L ${LOG_LEVEL}
+if [ "${SKIP_CHOWN:-false}" = false ] ; then
+  exec /usr/sbin/chronyd -u chrony -d -x -L ${LOG_LEVEL}
+else
+  exec /usr/sbin/chronyd -u chrony  -U -d -x -L ${LOG_LEVEL}
+fi

samples/k8s/README.md

@@ -0,0 +1,14 @@
+# K8S Restricted
+
+Under fully restricted there is a caveat:
+
+```log
+2024-12-28T02:36:44Z Wrong permissions on /run/chrony
+2024-12-28T02:36:44Z Disabled command socket /run/chrony/chronyd.sock
+```
+
+To use chronyc, instead use:
+
+```bash
+/usr/bin/chronyc -h 127.0.0.1 -p 10323 sources
+```

samples/k8s/deployment.yaml

@@ -0,0 +1,121 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ntp-rootless
+  namespace: ntp
+  labels:
+    app: ntp-rootless
+spec:
+  replicas: 1 # 2
+  strategy:
+    type: RollingUpdate
+  revisionHistoryLimit: 0
+  selector:
+    matchLabels:
+      app: ntp-rootless
+  template:
+    metadata:
+      labels:
+        app: ntp-rootless
+    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
+      hostname: ntp-rootless
+      restartPolicy: Always
+      automountServiceAccountToken: false
+      serviceAccountName: ntp
+      # ndots required because of alpine base image
+      dnsConfig:
+        options:
+          - name: ndots
+            value: "1"
+      containers:
+        - image: ""
+          imagePullPolicy: IfNotPresent
+          name: ntp-rootless
+          ports:
+            - containerPort: 12345
+              name: ntp
+              protocol: UDP
+          securityContext:
+            runAsUser: 1001 # Not Needed for OpenShift
+            runAsGroup: 1001 # Not Needed for OpenShift
+            privileged: false
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+                - ALL
+          resources:
+            requests:
+              ephemeral-storage: "15Mi"
+              memory: "16Mi"
+              cpu: "5m"
+            limits:
+              ephemeral-storage: "15Mi"
+              memory: "32Mi"
+              cpu: "50m"
+          env:
+            - name: SKIP_CHOWN
+              value: "true"
+            - name: PORT
+              value: "12345"
+            - name: CMDPORT
+              value: "10323"
+            - name: ENABLE_NTS
+              value: "true"
+          volumeMounts:
+            - name: ntp-config
+              mountPath: /etc/chrony/
+            - name: ntp-lib
+              mountPath: /var/lib/chrony
+            - name: ntp-run
+              mountPath: /run/chrony
+            - name: ntp-var-run
+              mountPath: /var/run/chrony
+          livenessProbe:
+            exec: # /usr/bin/chronyc -h 127.0.0.1 -p 10323 sources
+              command:
+                - /usr/bin/chronyc
+                - -h
+                - 127.0.0.1
+                - -p
+                - "10323"
+                - sources
+            initialDelaySeconds: 45
+            timeoutSeconds: 10
+            periodSeconds: 30
+            successThreshold: 1
+            failureThreshold: 5
+          readinessProbe:
+            exec: # /usr/bin/chronyc -h 127.0.0.1 -p 10323 sources
+              command:
+                - /usr/bin/chronyc
+                - -h
+                - 127.0.0.1
+                - -p
+                - "10323"
+                - sources
+            initialDelaySeconds: 45
+            timeoutSeconds: 10
+            periodSeconds: 30
+            successThreshold: 1
+            failureThreshold: 5
+      volumes:
+        - name: ntp-config
+          emptyDir:
+            sizeLimit: 10Mi
+        - name: ntp-lib
+          emptyDir:
+            sizeLimit: 10Mi
+        - name: ntp-run
+          emptyDir:
+            sizeLimit: 10Mi
+        - name: ntp-var-run
+          emptyDir:
+            sizeLimit: 10Mi

samples/k8s/namespace.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: latest
+    app.kubernetes.io/instance: ntp
+    kubernetes.io/metadata.name: ntp
+  name: ntp

samples/k8s/service-account.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ntp
+  namespace: ntp
+  labels:
+    app: ntp

samples/k8s/service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ntp-rootless
+  namespace: ntp
+spec:
+  externalTrafficPolicy: Local
+  internalTrafficPolicy: Cluster
+  ports:
+    - name: ntp
+      port: 123
+      targetPort: ntp
+      protocol: UDP
+  selector:
+    app: ntp-rootless
+  type: LoadBalancer # ClusterIP
+  loadBalancerClass: ""
+