Skip to content

NET-5186 Add NET_BIND_SERVICE to built-in PSPs for consul-dataplane deployments#2890

Merged
nathancoleman merged 1 commit intomainfrom
dataplane-psps
Sep 5, 2023
Merged

NET-5186 Add NET_BIND_SERVICE to built-in PSPs for consul-dataplane deployments#2890
nathancoleman merged 1 commit intomainfrom
dataplane-psps

Conversation

@nathancoleman
Copy link
Copy Markdown
Member

@nathancoleman nathancoleman commented Sep 1, 2023
edited
Loading

Changes proposed in this PR:
PodSecurityPolicy needs to add the NET_BIND_SERVICE capability for any Deployment that includes consul-dataplane.

A search for these in the consul-k8s repo yields:
CleanShot 2023-09-01 at 16 25 06@2x

How I've tested this PR:

  1. Create a GKE cluster with PodSecurityPolicy enforcement enabled
$ gcloud beta container clusters create cluster-1 --cluster-version=1.24 --enable-pod-security-policy
  1. Deploy Consul with PodSecurityPolicy enabled as well as the various gateway types and the telemetry collector
global:
  enablePodSecurityPolicies: true
telemetryCollector:
  enabled: true
meshGateway:
  enabled: true
terminatingGateways:
  enabled: true
ingressGateways:
  enabled: true
  gateways:
  - name: ingress-gateway
    service:
      type: LoadBalancer
      ports:
      - port: 80
  1. Verify that dataplane container in ingress-gateway, mesh-gateway, terminating-gateway and telemetry-collector pods successfully starts up. A failure scenario looks like exec /usr/local/bin/consul-dataplane: operation not permitted.

How I expect reviewers to test this PR:

Checklist:

@nathancoleman nathancoleman added backport/1.0.x backport/1.1.x Backport to release/1.1.x branch pr/no-changelog PR does not need a corresponding .changelog entry backport/1.2.x This release branch is no longer active. labels Sep 1, 2023
@nathancoleman nathancoleman changed the title Add NET_BIND_SERVICE to built-in PSPs for consul-dataplane deployments NET-5186 Add NET_BIND_SERVICE to built-in PSPs for consul-dataplane deployments Sep 1, 2023
@nathancoleman nathancoleman marked this pull request as ready for review September 1, 2023 21:07
@nathancoleman nathancoleman merged commit d58a340 into main Sep 5, 2023
@nathancoleman nathancoleman deleted the dataplane-psps branch September 5, 2023 15:32
This was referenced Sep 5, 2023
Merged
Merged
Merged
@nathancoleman
Copy link
Copy Markdown
Member Author

nathancoleman commented Sep 5, 2023

Not including changelog here since this PR is just picking up something I missed in #2787 , which did include a changelog entry

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@curtbushko curtbushko Awaiting requested review from curtbushko

2 more reviewers

@david-yu david-yu david-yu approved these changes

@andrewstucki andrewstucki andrewstucki approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport/1.1.x Backport to release/1.1.x branch backport/1.2.x This release branch is no longer active. pr/no-changelog PR does not need a corresponding .changelog entry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nathancoleman @david-yu @andrewstucki