Allow for setting security context settings on the init container.

qpoint-io · Feb 22, 2024 · c6b131f · c6b131f
1 parent af0c12e
commit c6b131f
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 10 deletions.
diff --git a/api/v1/egress.go b/api/v1/egress.go
@@ -16,12 +16,6 @@ import (
 const INIT_IMAGE = "us-docker.pkg.dev/qpoint-edge/public/kubernetes-qtap-init"
 const QTAP_IMAGE = "us-docker.pkg.dev/qpoint-edge/public/qtap"
 
-var (
-	ROOT_USER       int64 = 0 // The root user
-	ROOT_GROUP      int64 = 0 // The root group
-	RUN_AS_NON_ROOT       = false
-)
-
 func MutateEgress(pod *corev1.Pod, config *Config) error {
 	// fetch the init image tag
 	tag := config.GetAnnotation("qtap-init-tag")
@@ -36,13 +30,48 @@ func MutateEgress(pod *corev1.Pod, config *Config) error {
 				Add: []corev1.Capability{"NET_ADMIN"},
 			},
 			// The init container needs to run as root as it modifies the network
-			// for the pod
-			RunAsUser:    &ROOT_USER,
-			RunAsGroup:   &ROOT_GROUP,
-			RunAsNonRoot: &RUN_AS_NON_ROOT, // Allow running as root
+			// for the pod. Sometimes it also requires privileged depending on the
+			// security within the cluster. See annotations below which allow for
+			// setting the running user and group and other settings.
 		},
 	}
 
+	// SecurityContext RunAsUser
+	if runAsUser := config.GetAnnotation("qtap-init-run-as-user"); runAsUser != "" {
+		i, err := strconv.ParseInt(runAsUser, 10, 64)
+		if err != nil {
+			return fmt.Errorf("conversion error: %w", err)
+		}
+		initContainer.SecurityContext.RunAsUser = &i
+	}
+
+	// SecurityContext RunAsGroup
+	if runAsGroup := config.GetAnnotation("qtap-init-run-as-group"); runAsGroup != "" {
+		i, err := strconv.ParseInt(runAsGroup, 10, 64)
+		if err != nil {
+			return fmt.Errorf("conversion error: %w", err)
+		}
+		initContainer.SecurityContext.RunAsGroup = &i
+	}
+
+	// SecurityContext RunAsNonRoot
+	if runAsNonRoot := config.GetAnnotation("qtap-init-run-as-non-root"); runAsNonRoot != "" {
+		b, err := strconv.ParseBool(runAsNonRoot)
+		if err != nil {
+			return fmt.Errorf("conversion error: %w", err)
+		}
+		initContainer.SecurityContext.RunAsNonRoot = &b
+	}
+
+	// SecurityContext Privileged
+	if privileged := config.GetAnnotation("qtap-init-run-as-privileged"); privileged != "" {
+		b, err := strconv.ParseBool(privileged)
+		if err != nil {
+			return fmt.Errorf("conversion error: %w", err)
+		}
+		initContainer.SecurityContext.Privileged = &b
+	}
+
 	// TO_ADDR
 	if toAddr := config.GetAnnotation("qtap-init-egress-to-addr"); toAddr != "" {
 		initContainer.Env = append(initContainer.Env, corev1.EnvVar{

diff --git a/config/webhook/configmap.yaml b/config/webhook/configmap.yaml
@@ -22,6 +22,10 @@ data:
   annotations.yaml: |
     qpoint.io/inject-ca: "true"
     qpoint.io/qtap-init-tag: "v0.0.8"
+    qpoint.io/qtap-init-run-as-user: "0"
+    qpoint.io/qtap-init-run-as-group: "0"
+    qpoint.io/qtap-init-run-as-non-root: "false"
+    qpoint.io/qtap-init-run-as-privileged: "false"
     qpoint.io/qtap-tag: "v0.0.15"
     qpoint.io/qtap-init-egress-port-mapping: "10080:80,10443:443"
     qpoint.io/qtap-init-egress-accept-uids: "1010"