Skip to content

NET-5947 Add NET_BIND_SERVICE capability in security context for api-gateway pod on OpenShift#3070

Merged
nathancoleman merged 6 commits intomainfrom
api-gateway-net-bind-service
Oct 12, 2023
Merged

NET-5947 Add NET_BIND_SERVICE capability in security context for api-gateway pod on OpenShift#3070
nathancoleman merged 6 commits intomainfrom
api-gateway-net-bind-service

Conversation

@nathancoleman
Copy link
Copy Markdown
Member

@nathancoleman nathancoleman commented Oct 11, 2023
edited
Loading

Why this change is needed:
This capability became a requirement for consul-dataplane, which api-gateway uses under the hood, as of hashicorp/consul-dataplane#238. Since the securityContext created for each consul-dataplane Pod was not requesting the NET_BIND_SERVICE capability specifically when deploying onto OpenShift, it was not being granted, and the Pod was failing to start with a permission denied error.

Changes proposed in this PR:

  • Always add required NET_BIND_SERVICE capability to the securityContext for each api-gateway Pod

How I've tested this PR:

  • Added unit test coverage verifying securityContext is always set appropriately on Pod
  • @missylbytes tested it live on OpenShift 4.11 and 4.12 clusters, verifying that the Pod starts up correctly now

How I expect reviewers to test this PR:

  • 🤖 tests passing

Checklist:

@nathancoleman nathancoleman added theme/openshift theme/api-gateway Related to Consul API Gateway backport/1.2.x This release branch is no longer active. labels Oct 11, 2023
@nathancoleman nathancoleman changed the title Add NET_BIND_SERVICE capability in security context for api-gateway p… Add NET_BIND_SERVICE capability in security context for api-gateway pod Oct 11, 2023
@nathancoleman nathancoleman marked this pull request as ready for review October 12, 2023 15:33
nathancoleman
nathancoleman commented Oct 12, 2023
View reviewed changes
@curtbushko curtbushko self-requested a review October 12, 2023 15:45
curtbushko
curtbushko approved these changes Oct 12, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@curtbushko curtbushko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't really like it but I understand why it is needed. Approve!

@nathancoleman nathancoleman changed the title Add NET_BIND_SERVICE capability in security context for api-gateway pod Add NET_BIND_SERVICE capability in security context for api-gateway pod on OpenShift Oct 12, 2023
@nathancoleman nathancoleman changed the title Add NET_BIND_SERVICE capability in security context for api-gateway pod on OpenShift NET-5947 Add NET_BIND_SERVICE capability in security context for api-gateway pod on OpenShift Oct 12, 2023
nathancoleman
nathancoleman commented Oct 12, 2023
View reviewed changes
control-plane/api-gateway/gatekeeper/dataplane.go

const (
allCapabilities = "all"
allCapabilities = "ALL"
Copy link
Copy Markdown
Member Author

@nathancoleman nathancoleman Oct 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was causing an odd merge when the OpenShift controller added ALL alongside our all since they're not equal strings, resulting in

drop:
- ALL
- all

Copy link
Copy Markdown
Contributor

@missylbytes missylbytes Oct 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed:
image

@nathancoleman nathancoleman force-pushed the api-gateway-net-bind-service branch from 650cbbc to 1b639af Compare October 12, 2023 19:24
@nathancoleman nathancoleman merged commit d2d6125 into main Oct 12, 2023
@nathancoleman nathancoleman deleted the api-gateway-net-bind-service branch October 12, 2023 20:20
@hc-github-team-consul-core hc-github-team-consul-core mentioned this pull request Oct 12, 2023
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@curtbushko curtbushko curtbushko approved these changes

@missylbytes missylbytes missylbytes approved these changes

+1 more reviewer

@t-eckert t-eckert t-eckert approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport/1.2.x This release branch is no longer active. theme/api-gateway Related to Consul API Gateway theme/openshift

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nathancoleman @curtbushko @missylbytes @t-eckert