From 4a4885f61c32c1b2ba7d3e70f3f4f96b0a7aa73a Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Tue, 28 May 2024 13:58:29 -0400 Subject: [PATCH 1/3] Always add NET_BIND_SERVICE capability to injected sidecar container --- .../webhook/consul_dataplane_sidecar.go | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go b/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go index a9643308d8..88ee607770 100644 --- a/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go +++ b/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go @@ -234,7 +234,20 @@ func (w *MeshWebhook) consulDataplaneSidecar(namespace corev1.Namespace, pod cor RunAsGroup: pointer.Int64(sidecarUserAndGroupID), RunAsNonRoot: pointer.Bool(true), AllowPrivilegeEscalation: pointer.Bool(false), - ReadOnlyRootFilesystem: pointer.Bool(true), + // consul-dataplane requires the NET_BIND_SERVICE capability regardless of binding port #. + // See https://developer.hashicorp.com/consul/docs/connect/dataplane#technical-constraints + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{"NET_BIND_SERVICE"}, + }, + ReadOnlyRootFilesystem: pointer.Bool(true), + } + } else { + // consul-dataplane requires the NET_BIND_SERVICE capability regardless of binding port #. + // See https://developer.hashicorp.com/consul/docs/connect/dataplane#technical-constraints + container.SecurityContext = &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{"NET_BIND_SERVICE"}, + }, } } From 32de572940bbe4db2b3967941337b059003a0107 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Tue, 4 Jun 2024 15:01:07 -0400 Subject: [PATCH 2/3] Add changelog entry --- .changelog/4066.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/4066.txt diff --git a/.changelog/4066.txt b/.changelog/4066.txt new file mode 100644 index 0000000000..9c1574f9b3 --- /dev/null +++ b/.changelog/4066.txt @@ -0,0 +1,3 @@ +```release-note:bug +connect-inject: add NET_BIND_SERVICE capability when injecting consul-dataplane sidecar +``` From 531db20f35d93a152ac4c8feb35f5a4e336eb38f Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Tue, 4 Jun 2024 16:55:20 -0400 Subject: [PATCH 3/3] Update unit test assertions --- .../webhook/consul_dataplane_sidecar_test.go | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go b/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go index ae1f50e795..7d0cd26f27 100644 --- a/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go +++ b/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go @@ -808,6 +808,9 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) { RunAsNonRoot: pointer.Bool(true), ReadOnlyRootFilesystem: pointer.Bool(true), AllowPrivilegeEscalation: pointer.Bool(false), + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{"NET_BIND_SERVICE"}, + }, }, }, "tproxy enabled; openshift disabled": { @@ -819,12 +822,19 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) { RunAsNonRoot: pointer.Bool(true), ReadOnlyRootFilesystem: pointer.Bool(true), AllowPrivilegeEscalation: pointer.Bool(false), + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{"NET_BIND_SERVICE"}, + }, }, }, "tproxy disabled; openshift enabled": { - tproxyEnabled: false, - openShiftEnabled: true, - expSecurityContext: nil, + tproxyEnabled: false, + openShiftEnabled: true, + expSecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{"NET_BIND_SERVICE"}, + }, + }, }, "tproxy enabled; openshift enabled": { tproxyEnabled: true, @@ -835,6 +845,9 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) { RunAsNonRoot: pointer.Bool(true), ReadOnlyRootFilesystem: pointer.Bool(true), AllowPrivilegeEscalation: pointer.Bool(false), + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{"NET_BIND_SERVICE"}, + }, }, }, }