From c6b131f5cc4ed97e0c52a76af70530f6eed3349a Mon Sep 17 00:00:00 2001 From: Marc Barry <4965634+marc-barry@users.noreply.github.com> Date: Thu, 22 Feb 2024 09:52:05 -0500 Subject: [PATCH] Allow for setting security context settings on the init container. --- api/v1/egress.go | 49 ++++++++++++++++++++++++++++------- config/webhook/configmap.yaml | 4 +++ 2 files changed, 43 insertions(+), 10 deletions(-) diff --git a/api/v1/egress.go b/api/v1/egress.go index b6d4f5c..719261a 100644 --- a/api/v1/egress.go +++ b/api/v1/egress.go @@ -16,12 +16,6 @@ import ( const INIT_IMAGE = "us-docker.pkg.dev/qpoint-edge/public/kubernetes-qtap-init" const QTAP_IMAGE = "us-docker.pkg.dev/qpoint-edge/public/qtap" -var ( - ROOT_USER int64 = 0 // The root user - ROOT_GROUP int64 = 0 // The root group - RUN_AS_NON_ROOT = false -) - func MutateEgress(pod *corev1.Pod, config *Config) error { // fetch the init image tag tag := config.GetAnnotation("qtap-init-tag") @@ -36,13 +30,48 @@ func MutateEgress(pod *corev1.Pod, config *Config) error { Add: []corev1.Capability{"NET_ADMIN"}, }, // The init container needs to run as root as it modifies the network - // for the pod - RunAsUser: &ROOT_USER, - RunAsGroup: &ROOT_GROUP, - RunAsNonRoot: &RUN_AS_NON_ROOT, // Allow running as root + // for the pod. Sometimes it also requires privileged depending on the + // security within the cluster. See annotations below which allow for + // setting the running user and group and other settings. }, } + // SecurityContext RunAsUser + if runAsUser := config.GetAnnotation("qtap-init-run-as-user"); runAsUser != "" { + i, err := strconv.ParseInt(runAsUser, 10, 64) + if err != nil { + return fmt.Errorf("conversion error: %w", err) + } + initContainer.SecurityContext.RunAsUser = &i + } + + // SecurityContext RunAsGroup + if runAsGroup := config.GetAnnotation("qtap-init-run-as-group"); runAsGroup != "" { + i, err := strconv.ParseInt(runAsGroup, 10, 64) + if err != nil { + return fmt.Errorf("conversion error: %w", err) + } + initContainer.SecurityContext.RunAsGroup = &i + } + + // SecurityContext RunAsNonRoot + if runAsNonRoot := config.GetAnnotation("qtap-init-run-as-non-root"); runAsNonRoot != "" { + b, err := strconv.ParseBool(runAsNonRoot) + if err != nil { + return fmt.Errorf("conversion error: %w", err) + } + initContainer.SecurityContext.RunAsNonRoot = &b + } + + // SecurityContext Privileged + if privileged := config.GetAnnotation("qtap-init-run-as-privileged"); privileged != "" { + b, err := strconv.ParseBool(privileged) + if err != nil { + return fmt.Errorf("conversion error: %w", err) + } + initContainer.SecurityContext.Privileged = &b + } + // TO_ADDR if toAddr := config.GetAnnotation("qtap-init-egress-to-addr"); toAddr != "" { initContainer.Env = append(initContainer.Env, corev1.EnvVar{ diff --git a/config/webhook/configmap.yaml b/config/webhook/configmap.yaml index 49aed46..f2445ff 100644 --- a/config/webhook/configmap.yaml +++ b/config/webhook/configmap.yaml @@ -22,6 +22,10 @@ data: annotations.yaml: | qpoint.io/inject-ca: "true" qpoint.io/qtap-init-tag: "v0.0.8" + qpoint.io/qtap-init-run-as-user: "0" + qpoint.io/qtap-init-run-as-group: "0" + qpoint.io/qtap-init-run-as-non-root: "false" + qpoint.io/qtap-init-run-as-privileged: "false" qpoint.io/qtap-tag: "v0.0.15" qpoint.io/qtap-init-egress-port-mapping: "10080:80,10443:443" qpoint.io/qtap-init-egress-accept-uids: "1010"