Skip to content

Backport of NET-5186 Allow dataplane container to bind to privileged ports into release/1.2.x#247

Merged
hc-github-team-consul-core merged 1 commit intorelease/1.2.xfrom
backport/distroless-capabilities/properly-learning-jennet
Aug 25, 2023
Merged

Backport of NET-5186 Allow dataplane container to bind to privileged ports into release/1.2.x#247
hc-github-team-consul-core merged 1 commit intorelease/1.2.xfrom
backport/distroless-capabilities/properly-learning-jennet

Conversation

@hc-github-team-consul-core
Copy link
Collaborator

@hc-github-team-consul-core hc-github-team-consul-core commented Aug 25, 2023

Backport

This PR is auto-generated from #238 to be assessed for backporting due to the inclusion of the label backport/1.2.

The below text is copied from the body of the original PR.

Describe the issue

Consul-dataplane is currently unable to bind to privileged ports (< 1024).

This is important for ingress-gateway use cases where customers have historically been able to bind to ports such as 443 and are encountering runtime failures when attempting to upgrade to Consul 1.15+ and the corresponding Helm chart versions. In these newer versions, consul-dataplane has taken the place of the envoyproxy/envoy containers that were used previously.

Example of failure:

[warning] envoy.config(13) delta config for type.googleapis.com/envoy.config.listener.v3.Listener rejected: Error adding/updating listener(s) http:0.0.0.0:443: cannot bind '0.0.0.0:443': Permission denied

Describe the fix

It appears that Envoy containers, which consul-dataplane has replaced for ingress-gateway use cases, run as root and then use su-exec to run as a different user. I'm thinking that we can set the NET_BIND_SERVICE capability directly on the Envoy and dataplane binaries and avoid starting up as root, but I'm depending on my own testing and reviewers here to validate this.

This PR adds a new stage to set the net_bind_service capability on the Envoy and dataplane binaries that are copied into the release image. The final images then copy their Envoy and dataplane binaries from this new stage instead of their previous source.

How to test

  • Create an ingress-gateway that binds to a privileged port, such as 443 (see example values below)
    • Before this change, the consul-dataplane container will appear healthy but spew logs containing the error below
    • After this change, the consul-dataplane container will appear healthy, and the logs will indicate successful xDS config
  • Do the same testing on OpenShift to verify no negative impact
Example `values.yaml` 
global:
  name: consul
  logLevel: debug

connectInject:
  replicas: 1
  enabled: true

server:
  replicas: 3

ingressGateways:
  enabled: true
  gateways:
    - name: my-ingress
      service:
        type: LoadBalancer
        ports:
          - port: 443
Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core requested a review from a team August 25, 2023 20:39
@hc-github-team-consul-core hc-github-team-consul-core requested a review from a team as a code owner August 25, 2023 20:39
@hc-github-team-consul-core hc-github-team-consul-core requested review from alvin-huang and randyhdev and removed request for a team August 25, 2023 20:39
@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/distroless-capabilities/properly-learning-jennet branch from 46126a9 to 551a374 Compare August 25, 2023 20:39
github-team-consul-core-pr-approver
github-team-consul-core-pr-approver approved these changes Aug 25, 2023
View reviewed changes
Copy link
Collaborator

@github-team-consul-core-pr-approver github-team-consul-core-pr-approver left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved Consul Bot automated PR

@nathancoleman
Merge pull request #238 from hashicorp/distroless-capabilities
6f9edfe 
NET-5186 Allow dataplane container to bind to privileged ports
@nathancoleman nathancoleman force-pushed the backport/distroless-capabilities/properly-learning-jennet branch from 551a374 to 6f9edfe Compare August 25, 2023 21:49
nathancoleman
nathancoleman approved these changes Aug 25, 2023
View reviewed changes
Copy link
Member

@nathancoleman nathancoleman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Matches source PR

@hc-github-team-consul-core hc-github-team-consul-core merged commit 8318755 into release/1.2.x Aug 25, 2023
@hc-github-team-consul-core hc-github-team-consul-core deleted the backport/distroless-capabilities/properly-learning-jennet branch August 25, 2023 21:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nathancoleman nathancoleman nathancoleman approved these changes

@github-team-consul-core-pr-approver github-team-consul-core-pr-approver github-team-consul-core-pr-approver approved these changes

@alvin-huang alvin-huang Awaiting requested review from alvin-huang

@randyhdev randyhdev Awaiting requested review from randyhdev

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hc-github-team-consul-core @nathancoleman @github-team-consul-core-pr-approver