Backport of NET-5186 Add NET_BIND_SERVICE capability to Consul's rest…

…ricted securityContext into release/1.1.x (#2838) NET-5186 Add NET_BIND_SERVICE capability to Consul's restricted securityContext (#2787) * Add NET_BIND_SERVICE capability to Consul's restricted securityContext * Add changelog entry * Update related bats tests * Change type of release note Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
hashicorp · Aug 25, 2023 · 9aaa391 · 9aaa391
1 parent d0c40c5
commit 9aaa391
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 2 deletions.
diff --git a/.changelog/2787.txt b/.changelog/2787.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+Add NET_BIND_SERVICE capability to restricted security context used for consul-dataplane
+```
diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl
@@ -37,6 +37,8 @@ securityContext:
   capabilities:
     drop:
     - ALL
+    add:
+    - NET_BIND_SERVICE
   runAsNonRoot: true
   seccompProfile:
     type: RuntimeDefault

diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats
@@ -858,7 +858,8 @@ load _helpers
   local expected=$(echo '{
     "allowPrivilegeEscalation": false,
     "capabilities": {
-      "drop": ["ALL"]
+      "drop": ["ALL"],
+      "add": ["NET_BIND_SERVICE"]
     },
     "runAsNonRoot": true,
     "seccompProfile": {
@@ -898,7 +899,8 @@ load _helpers
   local expected=$(echo '{
     "allowPrivilegeEscalation": false,
     "capabilities": {
-      "drop": ["ALL"]
+      "drop": ["ALL"],
+      "add": ["NET_BIND_SERVICE"]
     },
     "runAsNonRoot": true,
     "seccompProfile": {