fix: 🙈 allow user to run proxy on priviledged ports

traefik · Nov 22, 2023 · 590f8f3 · 590f8f3
1 parent e81f716
commit 590f8f3
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 5 deletions.
diff --git a/traefikee/templates/proxy/deployment.yaml b/traefikee/templates/proxy/deployment.yaml
@@ -84,7 +84,7 @@ spec:
                 - NET_RAW
         - name: chown
           image: {{ template "traefikee-helm-chart.initContainer-image-name" . }}
-          command: ['chown', '-R', '65532:', '/var/lib/traefikee']
+          command: ['chown', '-R', '{{.Values.proxy.securityContext.runAsUser}}:', '/var/lib/traefikee']
           resources:
             requests:
               cpu: 10m
@@ -123,7 +123,8 @@ spec:
           {{- end }}
           securityContext:
             allowPrivilegeEscalation: false
-            runAsUser: 65532
+            runAsNonRoot: {{ if eq (int .Values.proxy.securityContext.runAsUser) 0 -}}false{{- else -}}true{{- end }}
+            runAsUser: {{ .Values.proxy.securityContext.runAsUser }}
             readOnlyRootFilesystem: true
             seccompProfile:
               type: RuntimeDefault
@@ -137,7 +138,7 @@ spec:
               name: distributed
           {{- range $port := .Values.proxy.ports }}
             {{- $containerPort := ($port.targetPort | default $port.port) }}
-            {{- if lt (int $containerPort) 1024 }}
+            {{- if and (lt (int $containerPort) 1024) (ne (int $.Values.proxy.securityContext.runAsUser) 0) }}
               {{ fail "ERROR: Cannot set a privileged port on a non-root container" }}
             {{- end }}
             - containerPort: {{ $containerPort }}

diff --git a/traefikee/tests/proxy_test.yaml b/traefikee/tests/proxy_test.yaml
@@ -273,7 +273,7 @@ tests:
               rollingUpdate:
                 maxUnavailable: 0
                 maxSurge: 1
-  - it: should fail when using ports < 1024
+  - it: should fail when using ports < 1024 for non-root users
     set:
       proxy:
         ports:
@@ -282,6 +282,36 @@ tests:
     asserts:
       - failedTemplate:
           errorMessage: "ERROR: Cannot set a privileged port on a non-root container"
+  - it: should be possible to run proxies as root (to specify elevated ports)
+    set:
+      proxy:
+        ports:
+          - name: http
+            port: 80
+        securityContext:
+          runAsUser: 0
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            containerPort: 80
+            name: http
+  - it: should give the rights on data to the right user (default)
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[1].command
+          value:
+            ['chown', '-R', '65532:', '/var/lib/traefikee']
+  - it: should give the rights on data to the right user
+    set:
+      proxy:
+        securityContext:
+          runAsUser: 0
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[1].command
+          value:
+            [ 'chown', '-R', '0:', '/var/lib/traefikee' ]
   - it: should be possible to change ports of deployments
     set:
       proxy:

diff --git a/traefikee/values.yaml b/traefikee/values.yaml
@@ -111,7 +111,7 @@ controller:
         traefik:
           address: ":9000"
         web:
-          address: ":7000"
+          address: ":7080"
         websecure:
           http:
             tls: {}
@@ -248,6 +248,8 @@ proxy:
       port: traefik
     initialDelaySeconds: 2
     periodSeconds: 5
+  securityContext:
+    runAsUser: 65532
 
 #  serviceLabels:
 #    foo: bar