linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add `NET_RAW` capability to the proxy-init container (#2969) 

Also, update control plane PSP to match linkerd/website#94

Signed-off-by: Ivan Sim <ivan@buoyant.io>
This commit is contained in:
Ivan Sim 2019-06-19 19:34:37 -07:00 committed by GitHub
parent bd7d567fe1
commit e2e976cce9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
35 changed files with 293 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
chart/templates/psp.yaml
View File

@ -14,19 +14,34 @@ spec:
{{- if not .NoInitContainer }}
allowedCapabilities:
- NET_ADMIN
- NET_RAW
{{- end}}
requiredDropCapabilities:
- ALL
hostNetwork: false
hostIPC: false
hostPID: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: RunAsAny
rule: MustRunAs
ranges:
- min: 1
max: 65535
volumes:
- configMap
- emptyDir
- secret
- projected
- downwardAPI
- persistentVolumeClaim
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role

1
cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml vendored
View File

@ -136,6 +136,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

2
cli/cmd/testdata/inject-filepath/expected/injected_nginx_redis.yaml vendored
View File

@ -136,6 +136,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -285,6 +286,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

1
cli/cmd/testdata/inject-filepath/expected/injected_redis.yaml vendored
View File

@ -136,6 +136,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

4
cli/cmd/testdata/inject_emojivoto_already_injected.golden.yml vendored
View File

@ -147,6 +147,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -307,6 +308,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -467,6 +469,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -627,6 +630,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

1
cli/cmd/testdata/inject_emojivoto_deployment.golden.yml vendored
View File

@ -147,6 +147,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

1
cli/cmd/testdata/inject_emojivoto_deployment_config_overrides.golden.yml vendored
View File

@ -166,6 +166,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

2
cli/cmd/testdata/inject_emojivoto_deployment_controller_name.golden.yml vendored
View File

@ -147,6 +147,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -307,6 +308,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

1
cli/cmd/testdata/inject_emojivoto_deployment_debug.golden.yml vendored
View File

@ -153,6 +153,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

1
cli/cmd/testdata/inject_emojivoto_deployment_empty_proxy_version_config.golden.yml vendored
View File

@ -147,6 +147,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

1
cli/cmd/testdata/inject_emojivoto_deployment_empty_resources.golden.yml vendored
View File

@ -147,6 +147,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

1
cli/cmd/testdata/inject_emojivoto_deployment_empty_version_config.golden.yml vendored
View File

@ -147,6 +147,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

1
cli/cmd/testdata/inject_emojivoto_deployment_hostNetwork_false.golden.yml vendored
View File

@ -148,6 +148,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

1
cli/cmd/testdata/inject_emojivoto_deployment_overridden.golden.yml vendored
View File

@ -148,6 +148,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

1
cli/cmd/testdata/inject_emojivoto_deployment_udp.golden.yml vendored
View File

@ -149,6 +149,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

2
cli/cmd/testdata/inject_emojivoto_list.golden.yml vendored
View File

@ -149,6 +149,7 @@ items:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -303,6 +304,7 @@ items:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

2
cli/cmd/testdata/inject_emojivoto_list_empty_resources.golden.yml vendored
View File

@ -149,6 +149,7 @@ items:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -303,6 +304,7 @@ items:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

1
cli/cmd/testdata/inject_emojivoto_pod.golden.yml vendored
View File

@ -130,6 +130,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

1
cli/cmd/testdata/inject_emojivoto_pod_with_requests.golden.yml vendored
View File

@ -136,6 +136,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

1
cli/cmd/testdata/inject_emojivoto_statefulset.golden.yml vendored
View File

@ -147,6 +147,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

2
cli/cmd/testdata/inject_gettest_deployment.good.golden.yml vendored
View File

@ -149,6 +149,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -311,6 +312,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

21
cli/cmd/testdata/install_config.golden vendored
View File

@ -439,18 +439,33 @@ spec:
readOnlyRootFilesystem: true
allowedCapabilities:
- NET_ADMIN
- NET_RAW
requiredDropCapabilities:
- ALL
hostNetwork: false
hostIPC: false
hostPID: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: RunAsAny
rule: MustRunAs
ranges:
- min: 1
max: 65535
volumes:
- configMap
- emptyDir
- secret
- projected
- downwardAPI
- persistentVolumeClaim
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role

8
cli/cmd/testdata/install_control-plane.golden vendored
View File

@ -218,6 +218,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -473,6 +474,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -679,6 +681,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -975,6 +978,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1234,6 +1238,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1430,6 +1435,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1654,6 +1660,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1853,6 +1860,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

29
cli/cmd/testdata/install_default.golden vendored
View File

@ -439,18 +439,33 @@ spec:
readOnlyRootFilesystem: true
allowedCapabilities:
- NET_ADMIN
- NET_RAW
requiredDropCapabilities:
- ALL
hostNetwork: false
hostIPC: false
hostPID: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: RunAsAny
rule: MustRunAs
ranges:
- min: 1
max: 65535
volumes:
- configMap
- emptyDir
- secret
- projected
- downwardAPI
- persistentVolumeClaim
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@ -718,6 +733,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -973,6 +989,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1179,6 +1196,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1475,6 +1493,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1734,6 +1753,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1930,6 +1950,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -2154,6 +2175,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -2353,6 +2375,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

29
cli/cmd/testdata/install_ha_output.golden vendored
View File

@ -439,18 +439,33 @@ spec:
readOnlyRootFilesystem: true
allowedCapabilities:
- NET_ADMIN
- NET_RAW
requiredDropCapabilities:
- ALL
hostNetwork: false
hostIPC: false
hostPID: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: RunAsAny
rule: MustRunAs
ranges:
- min: 1
max: 65535
volumes:
- configMap
- emptyDir
- secret
- projected
- downwardAPI
- persistentVolumeClaim
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@ -724,6 +739,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -988,6 +1004,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1200,6 +1217,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1502,6 +1520,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1767,6 +1786,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1969,6 +1989,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -2199,6 +2220,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -2404,6 +2426,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

29
cli/cmd/testdata/install_ha_with_overrides_output.golden vendored
View File

@ -439,18 +439,33 @@ spec:
readOnlyRootFilesystem: true
allowedCapabilities:
- NET_ADMIN
- NET_RAW
requiredDropCapabilities:
- ALL
hostNetwork: false
hostIPC: false
hostPID: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: RunAsAny
rule: MustRunAs
ranges:
- min: 1
max: 65535
volumes:
- configMap
- emptyDir
- secret
- projected
- downwardAPI
- persistentVolumeClaim
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@ -724,6 +739,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -988,6 +1004,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1200,6 +1217,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1502,6 +1520,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1767,6 +1786,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1969,6 +1989,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -2199,6 +2220,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -2404,6 +2426,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

20
cli/cmd/testdata/install_no_init_container.golden vendored
View File

@ -437,18 +437,32 @@ metadata:
spec:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
requiredDropCapabilities:
- ALL
hostNetwork: false
hostIPC: false
hostPID: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: RunAsAny
rule: MustRunAs
ranges:
- min: 1
max: 65535
volumes:
- configMap
- emptyDir
- secret
- projected
- downwardAPI
- persistentVolumeClaim
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role

29
cli/cmd/testdata/install_output.golden vendored
View File

@ -439,18 +439,33 @@ spec:
readOnlyRootFilesystem: true
allowedCapabilities:
- NET_ADMIN
- NET_RAW
requiredDropCapabilities:
- ALL
hostNetwork: false
hostIPC: false
hostPID: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: RunAsAny
rule: MustRunAs
ranges:
- min: 1
max: 65535
volumes:
- configMap
- emptyDir
- secret
- projected
- downwardAPI
- persistentVolumeClaim
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@ -686,6 +701,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -906,6 +922,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1077,6 +1094,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1338,6 +1356,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1562,6 +1581,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1723,6 +1743,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1912,6 +1933,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -2076,6 +2098,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

29
cli/cmd/testdata/upgrade_default.golden vendored
View File

@ -439,18 +439,33 @@ spec:
readOnlyRootFilesystem: true
allowedCapabilities:
- NET_ADMIN
- NET_RAW
requiredDropCapabilities:
- ALL
hostNetwork: false
hostIPC: false
hostPID: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: RunAsAny
rule: MustRunAs
ranges:
- min: 1
max: 65535
volumes:
- configMap
- emptyDir
- secret
- projected
- downwardAPI
- persistentVolumeClaim
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@ -719,6 +734,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -975,6 +991,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1182,6 +1199,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1479,6 +1497,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1739,6 +1758,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1936,6 +1956,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -2161,6 +2182,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -2361,6 +2383,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

29
cli/cmd/testdata/upgrade_ha.golden vendored
View File

@ -439,18 +439,33 @@ spec:
readOnlyRootFilesystem: true
allowedCapabilities:
- NET_ADMIN
- NET_RAW
requiredDropCapabilities:
- ALL
hostNetwork: false
hostIPC: false
hostPID: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: RunAsAny
rule: MustRunAs
ranges:
- min: 1
max: 65535
volumes:
- configMap
- emptyDir
- secret
- projected
- downwardAPI
- persistentVolumeClaim
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@ -725,6 +740,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -990,6 +1006,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1203,6 +1220,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1506,6 +1524,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1772,6 +1791,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -1975,6 +1995,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -2206,6 +2227,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
@ -2412,6 +2434,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

3
controller/proxy-injector/fake/data/pod.patch.json
View File

@ -55,7 +55,8 @@
"securityContext": {
"capabilities": {
"add": [
"NET_ADMIN"
"NET_ADMIN",
"NET_RAW"
]
},
"privileged": false,

27
pkg/inject/inject.go
View File

@ -71,15 +71,19 @@ const (
proxyInitResourceLimitMemory = "50Mi"
)
var injectableKinds = []string{
k8s.DaemonSet,
k8s.Deployment,
k8s.Job,
k8s.Pod,
k8s.ReplicaSet,
k8s.ReplicationController,
k8s.StatefulSet,
}
var (
injectableKinds = []string{
k8s.DaemonSet,
k8s.Deployment,
k8s.Job,
k8s.Pod,
k8s.ReplicaSet,
k8s.ReplicationController,
k8s.StatefulSet,
}
proxyInitDefaultCapabilities = []corev1.Capability{"NET_ADMIN", "NET_RAW"}
)
// Origin defines where the input YAML comes from. Refer the ResourceConfig's
// 'origin' field
@ -618,13 +622,14 @@ func (conf *ResourceConfig) injectProxyInit(patch *Patch, saVolumeMount *corev1.
capabilities := &corev1.Capabilities{}
if conf.pod.spec.Containers != nil && len(conf.pod.spec.Containers) > 0 {
if sc := conf.pod.spec.Containers[0].SecurityContext; sc != nil && sc.Capabilities != nil {
capabilities = sc.Capabilities
capabilities.Add = sc.Capabilities.Add
capabilities.Drop = sc.Capabilities.Drop
}
}
if capabilities.Add == nil {
capabilities.Add = []corev1.Capability{}
}
capabilities.Add = append(capabilities.Add, corev1.Capability("NET_ADMIN"))
capabilities.Add = append(capabilities.Add, proxyInitDefaultCapabilities...)
var (
nonRoot = false

53
pkg/inject/inject_test.go
View File

@ -1,6 +1,7 @@
package inject
import (
"fmt"
"reflect"
"testing"
@ -506,8 +507,8 @@ func TestInjectPodSpec(t *testing.T) {
Name: "test-svc",
SecurityContext: &corev1.SecurityContext{
Capabilities: &corev1.Capabilities{
Add: []corev1.Capability{"NET_ADMIN", "SYS_TIME"},
Drop: []corev1.Capability{"NET_RAW"},
Add: []corev1.Capability{"SYS_TIME"},
Drop: []corev1.Capability{"SYS_ADMIN"},
},
},
}
@ -518,7 +519,8 @@ func TestInjectPodSpec(t *testing.T) {
conf.injectPodSpec(patch)
for _, actual := range patch.patchOps {
if actual.Op == "add" && actual.Path == "/spec/template/spec/containers/-" {
if actual.Op == "add" && (actual.Path == "/spec/template/spec/containers/-" ||
actual.Path == "/spec/template/spec/initContainers/-") {
container, ok := actual.Value.(*corev1.Container)
if !ok {
t.Fatal("Unexpected type assertion error")
@ -526,33 +528,34 @@ func TestInjectPodSpec(t *testing.T) {
for _, sidecar := range []string{k8s.ProxyContainerName, k8s.InitContainerName} {
if container.Name == sidecar {
if sc := container.SecurityContext; sc != nil {
if *sc.AllowPrivilegeEscalation {
t.Errorf("Expected %s's 'allowPrivilegeEscalation' to be false", sidecar)
}
t.Run(fmt.Sprintf(container.Name), func(t *testing.T) {
if sc := container.SecurityContext; sc != nil {
if *sc.AllowPrivilegeEscalation {
t.Errorf("Expected %s's 'allowPrivilegeEscalation' to be false", container.Name)
}
if !*sc.ReadOnlyRootFilesystem {
t.Errorf("Expected %s's 'readOnlyRootFilesystem' to be true", sidecar)
}
if !*sc.ReadOnlyRootFilesystem {
t.Errorf("Expected %s's 'readOnlyRootFilesystem' to be true", container.Name)
}
if *sc.RunAsUser != conf.proxyUID() {
t.Errorf("Expected %s's 'RunAsUser' to be %d", sidecar, conf.proxyUID())
}
if *sc.RunAsUser != conf.proxyUID() {
t.Errorf("Expected %s's 'RunAsUser' to be %d", container.Name, conf.proxyUID())
}
if !reflect.DeepEqual(sc.Capabilities.Add, testContainer.SecurityContext.Capabilities.Add) {
t.Errorf("Mismatch 'Add Capabilities' rules. Expected: %v, Actual: %v",
sc.Capabilities.Add,
testContainer.SecurityContext.Capabilities.Add)
}
expectedCapabilities := testContainer.SecurityContext.Capabilities
if container.Name == k8s.InitContainerName {
expectedCapabilities.Add = append(expectedCapabilities.Add, proxyInitDefaultCapabilities...)
}
if !reflect.DeepEqual(sc.Capabilities.Drop, testContainer.SecurityContext.Capabilities.Drop) {
t.Errorf("Mismatch 'Drop Capabilities' rules. Expected: %v, Actual: %v ",
sc.Capabilities.Drop,
testContainer.SecurityContext.Capabilities.Drop)
if !reflect.DeepEqual(sc.Capabilities, expectedCapabilities) {
t.Errorf("Mismatch 'Add Capabilities' rules. Expected: %v, Actual: %v",
expectedCapabilities,
sc.Capabilities.Add)
}
} else {
t.Errorf("Expected %s security context to be non-empty", container.Name)
}
} else {
t.Errorf("Expected %s security context to be non-empty", sidecar)
}
})
}
}
}

1
test/inject/testdata/injected_default.golden vendored
View File

@ -112,6 +112,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false

1
test/inject/testdata/injected_params.golden vendored
View File

@ -137,6 +137,7 @@ spec:
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false