Net 4414 remove anyuid openshift requirement (#4152)

Co-authored-by: Curt Bushko <cbushko@gmail.com>
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

.changelog/4152.txt

@@ -0,0 +1,7 @@
+```release-note:improvement
+control-plane: Remove anyuid Security Context Constraints (SCC) requirement in OpenShift.
+```
+
+```release-note:bug
+connect-inject: add NET_BIND_SERVICE capability when injecting consul-dataplane sidecar
+```

acceptance/framework/consul/helm_cluster.go

@@ -550,7 +550,6 @@ func (h *HelmCluster) SetupConsulClient(t *testing.T, secure bool, release ...st
 					require.NoError(r, err)
 				}
 			})
-
 		}
 	}
 
@@ -702,47 +701,40 @@ func configureNamespace(t *testing.T, client kubernetes.Interface, cfg *config.T
 }
 
 // configureSCCs creates RoleBindings that bind the default service account to cluster roles
-// allowing access to the anyuid and privileged Security Context Constraints on OpenShift.
+// allowing access to the privileged Security Context Constraints on OpenShift.
 func configureSCCs(t *testing.T, client kubernetes.Interface, cfg *config.TestConfig, namespace string) {
-	const anyuidClusterRole = "system:openshift:scc:anyuid"
 	const privilegedClusterRole = "system:openshift:scc:privileged"
-	anyuidRoleBinding := "anyuid-test"
 	privilegedRoleBinding := "privileged-test"
 
 	// A role binding to allow default service account in the installation namespace access to the SCCs.
-	{
-		for clusterRoleName, roleBindingName := range map[string]string{anyuidClusterRole: anyuidRoleBinding, privilegedClusterRole: privilegedRoleBinding} {
-			// Check if this cluster role binding already exists.
-			_, err := client.RbacV1().RoleBindings(namespace).Get(context.Background(), roleBindingName, metav1.GetOptions{})
-
-			if errors.IsNotFound(err) {
-				roleBinding := &rbacv1.RoleBinding{
-					ObjectMeta: metav1.ObjectMeta{
-						Name: roleBindingName,
-					},
-					Subjects: []rbacv1.Subject{
-						{
-							Kind:      rbacv1.ServiceAccountKind,
-							Name:      "default",
-							Namespace: namespace,
-						},
-					},
-					RoleRef: rbacv1.RoleRef{
-						Kind: "ClusterRole",
-						Name: clusterRoleName,
-					},
-				}
-
-				_, err = client.RbacV1().RoleBindings(namespace).Create(context.Background(), roleBinding, metav1.CreateOptions{})
-				require.NoError(t, err)
-			} else {
-				require.NoError(t, err)
-			}
+	// Check if this cluster role binding already exists.
+	_, err := client.RbacV1().RoleBindings(namespace).Get(context.Background(), privilegedRoleBinding, metav1.GetOptions{})
+
+	if errors.IsNotFound(err) {
+		roleBinding := &rbacv1.RoleBinding{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: privilegedRoleBinding,
+			},
+			Subjects: []rbacv1.Subject{
+				{
+					Kind:      rbacv1.ServiceAccountKind,
+					Name:      "default",
+					Namespace: namespace,
+				},
+			},
+			RoleRef: rbacv1.RoleRef{
+				Kind: "ClusterRole",
+				Name: privilegedClusterRole,
+			},
 		}
+
+		_, err = client.RbacV1().RoleBindings(namespace).Create(context.Background(), roleBinding, metav1.CreateOptions{})
+		require.NoError(t, err)
+	} else {
+		require.NoError(t, err)
 	}
 
 	helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() {
-		_ = client.RbacV1().RoleBindings(namespace).Delete(context.Background(), anyuidRoleBinding, metav1.DeleteOptions{})
 		_ = client.RbacV1().RoleBindings(namespace).Delete(context.Background(), privilegedRoleBinding, metav1.DeleteOptions{})
 	})
 }

acceptance/tests/api-gateway/api_gateway_kitchen_sink_test.go

@@ -142,6 +142,10 @@ func TestAPIGateway_KitchenSink(t *testing.T) {
 		checkStatusCondition(r, gateway.Status.Conditions, trueCondition("ConsulAccepted", "Accepted"))
 		require.Len(r, gateway.Status.Listeners, 2)
 
+		// http route checks
+		err = k8sClient.Get(context.Background(), types.NamespacedName{Name: "http-route", Namespace: "default"}, &httpRoute)
+		require.NoError(r, err)
+
 		require.EqualValues(r, int32(1), gateway.Status.Listeners[0].AttachedRoutes)
 		checkStatusCondition(r, gateway.Status.Listeners[0].Conditions, trueCondition("Accepted", "Accepted"))
 		checkStatusCondition(r, gateway.Status.Listeners[0].Conditions, falseCondition("Conflicted", "NoConflicts"))
@@ -152,10 +156,6 @@ func TestAPIGateway_KitchenSink(t *testing.T) {
 		// now we know we have an address, set it so we can use it
 		gatewayAddress = gateway.Status.Addresses[0].Value
 
-		// http route checks
-		err = k8sClient.Get(context.Background(), types.NamespacedName{Name: "http-route", Namespace: "default"}, &httpRoute)
-		require.NoError(r, err)
-
 		// check our finalizers
 		require.Len(r, httpRoute.Finalizers, 1)
 		require.EqualValues(r, gatewayFinalizer, httpRoute.Finalizers[0])

acceptance/tests/fixtures/bases/multiport-app/kustomization.yaml

@@ -7,5 +7,4 @@ resources:
   - secret.yaml
   - serviceaccount.yaml
   - psp-rolebinding.yaml
-  - anyuid-scc-rolebinding.yaml
-  - privileged-scc-rolebinding.yaml
+  - privileged-scc-rolebinding.yaml

acceptance/tests/fixtures/bases/static-client/kustomization.yaml

@@ -6,5 +6,4 @@ resources:
   - service.yaml
   - serviceaccount.yaml
   - psp-rolebinding.yaml
-  - anyuid-scc-rolebinding.yaml
-  - privileged-scc-rolebinding.yaml
+  - privileged-scc-rolebinding.yaml

acceptance/tests/fixtures/bases/static-server-https/kustomization.yaml

@@ -7,5 +7,4 @@ resources:
   - service.yaml
   - serviceaccount.yaml
   - psp-rolebinding.yaml
-  - anyuid-scc-rolebinding.yaml
-  - privileged-scc-rolebinding.yaml
+  - privileged-scc-rolebinding.yaml

acceptance/tests/fixtures/bases/static-server-tcp/kustomization.yaml

@@ -7,5 +7,4 @@ resources:
   - serviceaccount.yaml
   - servicedefaults.yaml
   - psp-rolebinding.yaml
-  - anyuid-scc-rolebinding.yaml
-  - privileged-scc-rolebinding.yaml
+  - privileged-scc-rolebinding.yaml

acceptance/tests/fixtures/bases/static-server/kustomization.yaml

@@ -6,5 +6,4 @@ resources:
   - service.yaml
   - serviceaccount.yaml
   - psp-rolebinding.yaml
-  - anyuid-scc-rolebinding.yaml
-  - privileged-scc-rolebinding.yaml
+  - privileged-scc-rolebinding.yaml

acceptance/tests/fixtures/bases/v2-multiport-app/kustomization.yaml

@@ -7,5 +7,4 @@ resources:
   - secret.yaml
   - serviceaccount.yaml
   - psp-rolebinding.yaml
-  - anyuid-scc-rolebinding.yaml
-  - privileged-scc-rolebinding.yaml
+  - privileged-scc-rolebinding.yaml

control-plane/api-gateway/gatekeeper/deployment.go

@@ -88,7 +88,7 @@ func (g *Gatekeeper) deleteDeployment(ctx context.Context, gwName types.Namespac
 }
 
 func (g *Gatekeeper) deployment(gateway gwv1beta1.Gateway, gcc v1alpha1.GatewayClassConfig, config common.HelmConfig, currentReplicas *int32) (*appsv1.Deployment, error) {
-	initContainer, err := initContainer(config, gateway.Name, gateway.Namespace)
+	initContainer, err := g.initContainer(config, gateway.Name, gateway.Namespace)
 	if err != nil {
 		return nil, err
 	}

control-plane/api-gateway/gatekeeper/gatekeeper_test.go

@@ -29,6 +29,13 @@ import (
 	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
 )
 
+const (
+	designatedOpenShiftUIDRange       = "1000700000/100000"
+	designatedOpenShiftGIDRange       = "1000700000/100000"
+	expectedOpenShiftInitContainerUID = 1000799999
+	expectedOpenShiftInitContainerGID = 1000799999
+)
+
 var (
 	createdAtLabelKey   = "gateway.consul.hashicorp.com/created"
 	createdAtLabelValue = "101010"
@@ -897,7 +904,23 @@ func TestUpsert(t *testing.T) {
 				EnableOpenShift: true,
 				ImageDataplane:  "hashicorp/consul-dataplane",
 			},
-			initialResources: resources{},
+			initialResources: resources{
+				namespaces: []*corev1.Namespace{
+					{
+						TypeMeta: metav1.TypeMeta{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						},
+						ObjectMeta: metav1.ObjectMeta{
+							Name: "default",
+							Annotations: map[string]string{
+								constants.AnnotationOpenShiftUIDRange: designatedOpenShiftUIDRange,
+								constants.AnnotationOpenShiftGroups:   designatedOpenShiftGIDRange,
+							},
+						},
+					},
+				},
+			},
 			finalResources: resources{
 				deployments: []*appsv1.Deployment{
 					configureDeployment(name, namespace, labels, 3, nil, nil, "", "1"),
@@ -1193,6 +1216,16 @@ func validateResourcesExist(t *testing.T, client client.Client, helmConfig commo
 					assert.Equal(t, helmConfig.InitContainerResources.Limits, container.Resources.Limits)
 					assert.Equal(t, helmConfig.InitContainerResources.Requests, container.Resources.Requests)
 				}
+
+				require.NotNil(t, container.SecurityContext.RunAsUser)
+				require.NotNil(t, container.SecurityContext.RunAsGroup)
+				if helmConfig.EnableOpenShift {
+					assert.EqualValues(t, *container.SecurityContext.RunAsUser, expectedOpenShiftInitContainerUID)
+					assert.EqualValues(t, *container.SecurityContext.RunAsGroup, expectedOpenShiftInitContainerGID)
+				} else {
+					assert.EqualValues(t, *container.SecurityContext.RunAsUser, initContainersUserAndGroupID)
+					assert.EqualValues(t, *container.SecurityContext.RunAsGroup, initContainersUserAndGroupID)
+				}
 			}
 		}
 		assert.True(t, hasInitContainer)