Backport of Add NET_BIND_SERVICE to the security context in the deplo…

…yment of Mesh Gateway (NET-6463) into release/1.3.x (#3570) Add NET_BIND_SERVICE to the security context in the deployment of Mesh Gateway (NET-6463) (#3549)
hashicorp · Feb 7, 2024 · a01643b · a01643b
1 parent de4e333
commit a01643b
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 0 deletions.
diff --git a/.changelog/3549.txt b/.changelog/3549.txt
@@ -0,0 +1,5 @@
+```release-note:bug
+mesh-gw: update capabilities on the security context needed for the dataplane container.
+Adds NET_BIND_SERVICE to capabilities.add
+Adds ALL to capabilities.drop unless .Values.meshGateway.hostNetwork is true
+```
diff --git a/charts/consul/templates/mesh-gateway-deployment.yaml b/charts/consul/templates/mesh-gateway-deployment.yaml
@@ -183,6 +183,14 @@ spec:
       containers:
       - name: mesh-gateway
         image: {{ .Values.global.imageConsulDataplane | quote }}
+        securityContext:
+          capabilities:
+            {{ if not .Values.meshGateway.hostNetwork}}
+            drop:
+              - ALL
+            {{- end }}
+            add:
+              - NET_BIND_SERVICE
         {{- if .Values.meshGateway.resources }}
         resources:
             {{- if eq (typeOf .Values.meshGateway.resources) "string" }}

diff --git a/charts/consul/test/unit/mesh-gateway-deployment.bats b/charts/consul/test/unit/mesh-gateway-deployment.bats
@@ -1783,4 +1783,32 @@ key2: value2' \
   local actual=$(echo "$cmd" |
     yq 'any(contains("-log-level=warn"))' | tee /dev/stderr)
   [ "${actual}" = "true" ]
+}
+
+#--------------------------------------------------------------------
+# security context
+
+@test "meshGateway/Deployment: don't drop ALL capabilities when hostNetwork=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/mesh-gateway-deployment.yaml  \
+      --set 'meshGateway.enabled=true' \
+      --set 'connectInject.enabled=true' \
+      --set 'meshGateway.hostNetwork=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].securityContext' | tee /dev/stderr)
+
+  [ $(echo "${actual}" | yq -r '.capabilities.drop | length') -eq 0 ]
+}
+
+@test "meshGateway/Deployment: drop ALL capabilities when hostNetwork!=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/mesh-gateway-deployment.yaml  \
+      --set 'meshGateway.enabled=true' \
+      --set 'connectInject.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].securityContext' | tee /dev/stderr)
+
+  [ $(echo "${actual}" | yq -r '.capabilities.drop[0]') = "ALL" ]
 }