diff --git a/api/v1/egress.go b/api/v1/egress.go index b6d4f5c..719261a 100644 --- a/api/v1/egress.go +++ b/api/v1/egress.go @@ -16,12 +16,6 @@ import ( const INIT_IMAGE = "us-docker.pkg.dev/qpoint-edge/public/kubernetes-qtap-init" const QTAP_IMAGE = "us-docker.pkg.dev/qpoint-edge/public/qtap" -var ( - ROOT_USER int64 = 0 // The root user - ROOT_GROUP int64 = 0 // The root group - RUN_AS_NON_ROOT = false -) - func MutateEgress(pod *corev1.Pod, config *Config) error { // fetch the init image tag tag := config.GetAnnotation("qtap-init-tag") @@ -36,13 +30,48 @@ func MutateEgress(pod *corev1.Pod, config *Config) error { Add: []corev1.Capability{"NET_ADMIN"}, }, // The init container needs to run as root as it modifies the network - // for the pod - RunAsUser: &ROOT_USER, - RunAsGroup: &ROOT_GROUP, - RunAsNonRoot: &RUN_AS_NON_ROOT, // Allow running as root + // for the pod. Sometimes it also requires privileged depending on the + // security within the cluster. See annotations below which allow for + // setting the running user and group and other settings. }, } + // SecurityContext RunAsUser + if runAsUser := config.GetAnnotation("qtap-init-run-as-user"); runAsUser != "" { + i, err := strconv.ParseInt(runAsUser, 10, 64) + if err != nil { + return fmt.Errorf("conversion error: %w", err) + } + initContainer.SecurityContext.RunAsUser = &i + } + + // SecurityContext RunAsGroup + if runAsGroup := config.GetAnnotation("qtap-init-run-as-group"); runAsGroup != "" { + i, err := strconv.ParseInt(runAsGroup, 10, 64) + if err != nil { + return fmt.Errorf("conversion error: %w", err) + } + initContainer.SecurityContext.RunAsGroup = &i + } + + // SecurityContext RunAsNonRoot + if runAsNonRoot := config.GetAnnotation("qtap-init-run-as-non-root"); runAsNonRoot != "" { + b, err := strconv.ParseBool(runAsNonRoot) + if err != nil { + return fmt.Errorf("conversion error: %w", err) + } + initContainer.SecurityContext.RunAsNonRoot = &b + } + + // SecurityContext Privileged + if privileged := config.GetAnnotation("qtap-init-run-as-privileged"); privileged != "" { + b, err := strconv.ParseBool(privileged) + if err != nil { + return fmt.Errorf("conversion error: %w", err) + } + initContainer.SecurityContext.Privileged = &b + } + // TO_ADDR if toAddr := config.GetAnnotation("qtap-init-egress-to-addr"); toAddr != "" { initContainer.Env = append(initContainer.Env, corev1.EnvVar{ diff --git a/config/webhook/configmap.yaml b/config/webhook/configmap.yaml index 49aed46..f2445ff 100644 --- a/config/webhook/configmap.yaml +++ b/config/webhook/configmap.yaml @@ -22,6 +22,10 @@ data: annotations.yaml: | qpoint.io/inject-ca: "true" qpoint.io/qtap-init-tag: "v0.0.8" + qpoint.io/qtap-init-run-as-user: "0" + qpoint.io/qtap-init-run-as-group: "0" + qpoint.io/qtap-init-run-as-non-root: "false" + qpoint.io/qtap-init-run-as-privileged: "false" qpoint.io/qtap-tag: "v0.0.15" qpoint.io/qtap-init-egress-port-mapping: "10080:80,10443:443" qpoint.io/qtap-init-egress-accept-uids: "1010"