Skip to content

Net 4414 remove anyuid openshift requirement #4152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
missylbytes merged 39 commits into from
Jul 9, 2024
Merged

Net 4414 remove anyuid openshift requirement #4152

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
016d343
Remove SCC requirement for anyuid for OpenShift
curtbushko Mar 26, 2024
6fc6a2b
add changelog entry
curtbushko Mar 26, 2024
22f02da
fix linter
curtbushko Mar 26, 2024
6dacaee
Update with review comments
curtbushko Mar 27, 2024
b2c3b50
add some print statements
missylbytes Mar 27, 2024
da0ebc1
remove debug output from api gateway kitchen sink
curtbushko Mar 28, 2024
7f57d81
Reorganize if statement that is hard to understand
missylbytes Jun 25, 2024
0707f39
Updates Api Gateway to use the UID and GID given to it by Openshift
missylbytes Jun 26, 2024
c07c0eb
Reorg creation of security context for the webhook container init, no…
missylbytes Jun 26, 2024
cb7f671
Adds net_bind_service capability from https://github.com/hashicorp/co…
missylbytes Jun 26, 2024
0ae97a0
Reorganizes dataplane sidecar logic in webhook to be a bit more under…
missylbytes Jun 26, 2024
cd4a687
Adds tests for NET_BIND_SERVICE from here: https://github.com/hashico…
missylbytes Jun 26, 2024
e20ff5b
Adds changelog
missylbytes Jun 26, 2024
bfe7be8
Didn't reorg the dataplane sidecar in the webhook correctly
missylbytes Jun 26, 2024
1b74985
Fix dataplane sidecar test for webhook
missylbytes Jun 27, 2024
38387fe
Remove some formatting changes, making PR larger than it needs to be.
missylbytes Jun 27, 2024
16bb1de
Uses the Openshift IDs for gateway init container
missylbytes Jun 28, 2024
79a4b45
We only need to check the namespace annotations for Openshift
missylbytes Jun 28, 2024
22dad5e
Update test for Openshift to include namespace with annotations
missylbytes Jun 28, 2024
4ba20cd
Update test to actually test for UID and Group
missylbytes Jun 28, 2024
c06d654
Use separate user/group IDs for app, init + dataplane containers
nathancoleman Jul 3, 2024
0df7090
Merge branch 'main' into net-4414-remove-anyuid-openshift-requirement
missylbytes Jul 5, 2024
886badd
Will not work, worried power is going to go out.
missylbytes Jul 5, 2024
8df6652
Finishes updating Openshift get userIDs and groupIDs, still need to u…
missylbytes Jul 5, 2024
83abb12
Fix missing call updates for Openshift IDs
missylbytes Jul 5, 2024
7c0aedc
Rename function
missylbytes Jul 5, 2024
189f093
Need name of annotation, not value
missylbytes Jul 5, 2024
ab16a35
Fix bug in iptables config generation
nathancoleman Jul 5, 2024
5d715de
Skip dataplane + init containers when building list of application us…
nathancoleman Jul 5, 2024
fa695f7
Remove unused code + unnecessary function export
nathancoleman Jul 5, 2024
28a40fa
Use correct function for API gateway initi container UID
nathancoleman Jul 8, 2024
dd16651
Update gatekeeper tests for OpenShift
nathancoleman Jul 8, 2024
f087c92
Exclude init + dataplane containers based on image instead of name pr…
nathancoleman Jul 8, 2024
92bcb82
Updates Openshift and tests to test for dashes in ranges, and comma s…
missylbytes Jul 8, 2024
6a99515
Updated some tests
missylbytes Jul 8, 2024
a149661
Updated some tests
missylbytes Jul 8, 2024
d2f1b26
Updated sidecar tests
missylbytes Jul 8, 2024
4cf176a
Updated init container test and redirect traffic test for webhook
missylbytes Jul 8, 2024
636a8dd
Un-bump Go version
missylbytes Jul 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .changelog/4152.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
```release-note:improvement
control-plane: Remove anyuid Security Context Constraints (SCC) requirement in OpenShift.
```

```release-note:bug
connect-inject: add NET_BIND_SERVICE capability when injecting consul-dataplane sidecar
```
58 changes: 25 additions & 33 deletions acceptance/framework/consul/helm_cluster.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -526,7 +526,6 @@ func (h *HelmCluster) SetupConsulClient(t *testing.T, secure bool, release ...st
require.NoError(r, err)
}
})

}
}

Expand Down Expand Up @@ -678,47 +677,40 @@ func configureNamespace(t *testing.T, client kubernetes.Interface, cfg *config.T
}

// configureSCCs creates RoleBindings that bind the default service account to cluster roles
// allowing access to the anyuid and privileged Security Context Constraints on OpenShift.
// allowing access to the privileged Security Context Constraints on OpenShift.
func configureSCCs(t *testing.T, client kubernetes.Interface, cfg *config.TestConfig, namespace string) {
const anyuidClusterRole = "system:openshift:scc:anyuid"
const privilegedClusterRole = "system:openshift:scc:privileged"
anyuidRoleBinding := "anyuid-test"
privilegedRoleBinding := "privileged-test"

// A role binding to allow default service account in the installation namespace access to the SCCs.
{
for clusterRoleName, roleBindingName := range map[string]string{anyuidClusterRole: anyuidRoleBinding, privilegedClusterRole: privilegedRoleBinding} {
// Check if this cluster role binding already exists.
_, err := client.RbacV1().RoleBindings(namespace).Get(context.Background(), roleBindingName, metav1.GetOptions{})

if errors.IsNotFound(err) {
roleBinding := &rbacv1.RoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: roleBindingName,
},
Subjects: []rbacv1.Subject{
{
Kind: rbacv1.ServiceAccountKind,
Name: "default",
Namespace: namespace,
},
},
RoleRef: rbacv1.RoleRef{
Kind: "ClusterRole",
Name: clusterRoleName,
},
}

_, err = client.RbacV1().RoleBindings(namespace).Create(context.Background(), roleBinding, metav1.CreateOptions{})
require.NoError(t, err)
} else {
require.NoError(t, err)
}
// Check if this cluster role binding already exists.
_, err := client.RbacV1().RoleBindings(namespace).Get(context.Background(), privilegedRoleBinding, metav1.GetOptions{})

if errors.IsNotFound(err) {
roleBinding := &rbacv1.RoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: privilegedRoleBinding,
},
Subjects: []rbacv1.Subject{
{
Kind: rbacv1.ServiceAccountKind,
Name: "default",
Namespace: namespace,
},
},
RoleRef: rbacv1.RoleRef{
Kind: "ClusterRole",
Name: privilegedClusterRole,
},
}

_, err = client.RbacV1().RoleBindings(namespace).Create(context.Background(), roleBinding, metav1.CreateOptions{})
require.NoError(t, err)
} else {
require.NoError(t, err)
}

helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() {
_ = client.RbacV1().RoleBindings(namespace).Delete(context.Background(), anyuidRoleBinding, metav1.DeleteOptions{})
_ = client.RbacV1().RoleBindings(namespace).Delete(context.Background(), privilegedRoleBinding, metav1.DeleteOptions{})
})
}
Expand Down
8 changes: 4 additions & 4 deletions acceptance/tests/api-gateway/api_gateway_kitchen_sink_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,10 @@ func TestAPIGateway_KitchenSink(t *testing.T) {
checkStatusCondition(r, gateway.Status.Conditions, trueCondition("ConsulAccepted", "Accepted"))
require.Len(r, gateway.Status.Listeners, 2)

// http route checks
err = k8sClient.Get(context.Background(), types.NamespacedName{Name: "http-route", Namespace: "default"}, &httpRoute)
require.NoError(r, err)

require.EqualValues(r, int32(1), gateway.Status.Listeners[0].AttachedRoutes)
checkStatusCondition(r, gateway.Status.Listeners[0].Conditions, trueCondition("Accepted", "Accepted"))
checkStatusCondition(r, gateway.Status.Listeners[0].Conditions, falseCondition("Conflicted", "NoConflicts"))
Expand All @@ -152,10 +156,6 @@ func TestAPIGateway_KitchenSink(t *testing.T) {
// now we know we have an address, set it so we can use it
gatewayAddress = gateway.Status.Addresses[0].Value

// http route checks
err = k8sClient.Get(context.Background(), types.NamespacedName{Name: "http-route", Namespace: "default"}, &httpRoute)
require.NoError(r, err)

// check our finalizers
require.Len(r, httpRoute.Finalizers, 1)
require.EqualValues(r, gatewayFinalizer, httpRoute.Finalizers[0])
Expand Down
26 changes: 0 additions & 26 deletions acceptance/tests/fixtures/bases/multiport-app/anyuid-scc-rolebinding.yaml
View file
Open in desktop

This file was deleted.

3 changes: 1 addition & 2 deletions acceptance/tests/fixtures/bases/multiport-app/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,4 @@ resources:
- secret.yaml
- serviceaccount.yaml
- psp-rolebinding.yaml
- anyuid-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
14 changes: 0 additions & 14 deletions acceptance/tests/fixtures/bases/static-client/anyuid-scc-rolebinding.yaml
View file
Open in desktop

This file was deleted.

3 changes: 1 addition & 2 deletions acceptance/tests/fixtures/bases/static-client/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,4 @@ resources:
- service.yaml
- serviceaccount.yaml
- psp-rolebinding.yaml
- anyuid-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
14 changes: 0 additions & 14 deletions acceptance/tests/fixtures/bases/static-server-https/anyuid-scc-rolebinding.yaml
View file
Open in desktop

This file was deleted.

3 changes: 1 addition & 2 deletions acceptance/tests/fixtures/bases/static-server-https/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,4 @@ resources:
- service.yaml
- serviceaccount.yaml
- psp-rolebinding.yaml
- anyuid-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
14 changes: 0 additions & 14 deletions acceptance/tests/fixtures/bases/static-server-tcp/anyuid-scc-rolebinding.yaml
View file
Open in desktop

This file was deleted.

3 changes: 1 addition & 2 deletions acceptance/tests/fixtures/bases/static-server-tcp/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,4 @@ resources:
- serviceaccount.yaml
- servicedefaults.yaml
- psp-rolebinding.yaml
- anyuid-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
14 changes: 0 additions & 14 deletions acceptance/tests/fixtures/bases/static-server/anyuid-scc-rolebinding.yaml
View file
Open in desktop

This file was deleted.

3 changes: 1 addition & 2 deletions acceptance/tests/fixtures/bases/static-server/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,4 @@ resources:
- service.yaml
- serviceaccount.yaml
- psp-rolebinding.yaml
- anyuid-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
26 changes: 0 additions & 26 deletions acceptance/tests/fixtures/bases/v2-multiport-app/anyuid-scc-rolebinding.yaml
View file
Open in desktop

This file was deleted.

3 changes: 1 addition & 2 deletions acceptance/tests/fixtures/bases/v2-multiport-app/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,4 @@ resources:
- secret.yaml
- serviceaccount.yaml
- psp-rolebinding.yaml
- anyuid-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
2 changes: 1 addition & 1 deletion control-plane/api-gateway/gatekeeper/deployment.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ func (g *Gatekeeper) deleteDeployment(ctx context.Context, gwName types.Namespac
}

func (g *Gatekeeper) deployment(gateway gwv1beta1.Gateway, gcc v1alpha1.GatewayClassConfig, config common.HelmConfig, currentReplicas *int32) (*appsv1.Deployment, error) {
initContainer, err := initContainer(config, gateway.Name, gateway.Namespace)
initContainer, err := g.initContainer(config, gateway.Name, gateway.Namespace)
if err != nil {
return nil, err
}
Expand Down
35 changes: 34 additions & 1 deletion control-plane/api-gateway/gatekeeper/gatekeeper_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,13 @@ import (
"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
)

const (
designatedOpenShiftUIDRange = "1000700000/100000"
designatedOpenShiftGIDRange = "1000700000/100000"
expectedOpenShiftInitContainerUID = 1000799999
expectedOpenShiftInitContainerGID = 1000799999
)

var (
createdAtLabelKey = "gateway.consul.hashicorp.com/created"
createdAtLabelValue = "101010"
Expand Down Expand Up @@ -929,7 +936,23 @@ func TestUpsert(t *testing.T) {
EnableOpenShift: true,
ImageDataplane: "hashicorp/consul-dataplane",
},
initialResources: resources{},
initialResources: resources{
namespaces: []*corev1.Namespace{
{
TypeMeta: metav1.TypeMeta{
APIVersion: "v1",
Kind: "Namespace",
},
ObjectMeta: metav1.ObjectMeta{
Name: "default",
Annotations: map[string]string{
constants.AnnotationOpenShiftUIDRange: designatedOpenShiftUIDRange,
constants.AnnotationOpenShiftGroups: designatedOpenShiftGIDRange,
},
},
},
},
},
finalResources: resources{
deployments: []*appsv1.Deployment{
configureDeployment(name, namespace, labels, 3, nil, nil, "", "1"),
Expand Down Expand Up @@ -1463,6 +1486,16 @@ func validateResourcesExist(t *testing.T, client client.Client, helmConfig commo
assert.Equal(t, helmConfig.InitContainerResources.Limits, container.Resources.Limits)
assert.Equal(t, helmConfig.InitContainerResources.Requests, container.Resources.Requests)
}

require.NotNil(t, container.SecurityContext.RunAsUser)
require.NotNil(t, container.SecurityContext.RunAsGroup)
if helmConfig.EnableOpenShift {
assert.EqualValues(t, *container.SecurityContext.RunAsUser, expectedOpenShiftInitContainerUID)
assert.EqualValues(t, *container.SecurityContext.RunAsGroup, expectedOpenShiftInitContainerGID)
} else {
assert.EqualValues(t, *container.SecurityContext.RunAsUser, initContainersUserAndGroupID)
assert.EqualValues(t, *container.SecurityContext.RunAsGroup, initContainersUserAndGroupID)
}
}
}
assert.True(t, hasInitContainer)
Expand Down
Loading