From f5d4ba5a42661217266e3ca7c7ea1e1740c0f545 Mon Sep 17 00:00:00 2001
From: Luke Kysow <1034429+lkysow@users.noreply.github.com>
Date: Wed, 24 Jan 2024 13:38:55 -0800
Subject: [PATCH] Set ReadOnlyRootFilesystem and AllowPrivilegeEscalation to
 false (#3498)

Tighten up privileges for consul-dataplane and connect-init containers when CNI is enabled.
---
 .../webhook/consul_dataplane_sidecar.go       |  9 ++++---
 .../webhook/consul_dataplane_sidecar_test.go  | 27 ++++++++++---------
 .../connect-inject/webhook/container_init.go  |  2 ++
 .../webhook/container_init_test.go            |  2 ++
 4 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go b/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go
index 7011d93a91..0fec29f1ef 100644
--- a/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go
+++ b/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go
@@ -219,10 +219,11 @@ func (w *MeshWebhook) consulDataplaneSidecar(namespace corev1.Namespace, pod cor
 			}
 		}
 		container.SecurityContext = &corev1.SecurityContext{
-			RunAsUser:              pointer.Int64(sidecarUserAndGroupID),
-			RunAsGroup:             pointer.Int64(sidecarUserAndGroupID),
-			RunAsNonRoot:           pointer.Bool(true),
-			ReadOnlyRootFilesystem: pointer.Bool(true),
+			RunAsUser:                pointer.Int64(sidecarUserAndGroupID),
+			RunAsGroup:               pointer.Int64(sidecarUserAndGroupID),
+			RunAsNonRoot:             pointer.Bool(true),
+			AllowPrivilegeEscalation: pointer.Bool(false),
+			ReadOnlyRootFilesystem:   pointer.Bool(true),
 		}
 	}
 
diff --git a/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go b/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go
index eb902f3597..936e51a559 100644
--- a/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go
+++ b/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go
@@ -801,20 +801,22 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) {
 			tproxyEnabled:    false,
 			openShiftEnabled: false,
 			expSecurityContext: &corev1.SecurityContext{
-				RunAsUser:              pointer.Int64(sidecarUserAndGroupID),
-				RunAsGroup:             pointer.Int64(sidecarUserAndGroupID),
-				RunAsNonRoot:           pointer.Bool(true),
-				ReadOnlyRootFilesystem: pointer.Bool(true),
+				RunAsUser:                pointer.Int64(sidecarUserAndGroupID),
+				RunAsGroup:               pointer.Int64(sidecarUserAndGroupID),
+				RunAsNonRoot:             pointer.Bool(true),
+				ReadOnlyRootFilesystem:   pointer.Bool(true),
+				AllowPrivilegeEscalation: pointer.Bool(false),
 			},
 		},
 		"tproxy enabled; openshift disabled": {
 			tproxyEnabled:    true,
 			openShiftEnabled: false,
 			expSecurityContext: &corev1.SecurityContext{
-				RunAsUser:              pointer.Int64(sidecarUserAndGroupID),
-				RunAsGroup:             pointer.Int64(sidecarUserAndGroupID),
-				RunAsNonRoot:           pointer.Bool(true),
-				ReadOnlyRootFilesystem: pointer.Bool(true),
+				RunAsUser:                pointer.Int64(sidecarUserAndGroupID),
+				RunAsGroup:               pointer.Int64(sidecarUserAndGroupID),
+				RunAsNonRoot:             pointer.Bool(true),
+				ReadOnlyRootFilesystem:   pointer.Bool(true),
+				AllowPrivilegeEscalation: pointer.Bool(false),
 			},
 		},
 		"tproxy disabled; openshift enabled": {
@@ -826,10 +828,11 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) {
 			tproxyEnabled:    true,
 			openShiftEnabled: true,
 			expSecurityContext: &corev1.SecurityContext{
-				RunAsUser:              pointer.Int64(sidecarUserAndGroupID),
-				RunAsGroup:             pointer.Int64(sidecarUserAndGroupID),
-				RunAsNonRoot:           pointer.Bool(true),
-				ReadOnlyRootFilesystem: pointer.Bool(true),
+				RunAsUser:                pointer.Int64(sidecarUserAndGroupID),
+				RunAsGroup:               pointer.Int64(sidecarUserAndGroupID),
+				RunAsNonRoot:             pointer.Bool(true),
+				ReadOnlyRootFilesystem:   pointer.Bool(true),
+				AllowPrivilegeEscalation: pointer.Bool(false),
 			},
 		},
 	}
diff --git a/control-plane/connect-inject/webhook/container_init.go b/control-plane/connect-inject/webhook/container_init.go
index 88962f771e..effee89150 100644
--- a/control-plane/connect-inject/webhook/container_init.go
+++ b/control-plane/connect-inject/webhook/container_init.go
@@ -263,6 +263,8 @@ func (w *MeshWebhook) containerInit(namespace corev1.Namespace, pod corev1.Pod,
 				Capabilities: &corev1.Capabilities{
 					Drop: []corev1.Capability{"ALL"},
 				},
+				ReadOnlyRootFilesystem:   pointer.Bool(true),
+				AllowPrivilegeEscalation: pointer.Bool(false),
 			}
 		}
 	}
diff --git a/control-plane/connect-inject/webhook/container_init_test.go b/control-plane/connect-inject/webhook/container_init_test.go
index fa2a95dbf9..8feac95b84 100644
--- a/control-plane/connect-inject/webhook/container_init_test.go
+++ b/control-plane/connect-inject/webhook/container_init_test.go
@@ -302,6 +302,8 @@ func TestHandlerContainerInit_transparentProxy(t *testing.T) {
 					Capabilities: &corev1.Capabilities{
 						Drop: []corev1.Capability{"ALL"},
 					},
+					ReadOnlyRootFilesystem:   pointer.Bool(true),
+					AllowPrivilegeEscalation: pointer.Bool(false),
 				}
 			} else if c.expTproxyEnabled {
 				expectedSecurityContext = &corev1.SecurityContext{