Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not set securityContext on Openshift < 4.11 #2678

Merged
merged 3 commits into from
Jul 31, 2023
Merged

Do not set securityContext on Openshift < 4.11 #2678

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6eb768c
Do not set securityContext on Openshift < 4.11
Jul 25, 2023
fd09d18
Add changelog
Jul 27, 2023
eddc97e
Add unit test
Jul 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/2678.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
helm: do not set container securityContexts by default on OpenShift < 4.11
```
18 changes: 17 additions & 1 deletion charts/consul/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,23 @@ as well as the global.name setting.
{{- end -}}
{{- end -}}


{{- define "consul.restrictedSecurityContext" -}}
{{- if not .Values.global.enablePodSecurityPolicies -}}
{{/*
To be compatible with the 'restricted' Pod Security Standards profile, we
should set this securityContext on containers whenever possible.

In OpenShift < 4.11 the restricted SCC disallows setting most of these fields,
so we do not set any for simplicity (and because that's how it was configured
prior to adding restricted PSA support here). In OpenShift >= 4.11, the new
restricted-v2 SCC allows setting these in the securityContext, and by setting
them we avoid PSA warnings that are enabled by default.

We use the K8s version as a proxy for the OpenShift version because there is a
1:1 mapping of versions. OpenShift 4.11 corresponds to K8s 1.24.x.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure of a better way to check for OpenShift version. As far as we know and based on their docs (requires login 😞 ), there's a 1:1 mapping between OpenShift and Kube versions so I think this should be okay.

OpenShift Version Kubernetes Version
4.9 1.22
4.10 1.23
4.11 1.24
4.12 1.25
4.13 1.26

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am also unsure how to unit test this (without actually installing different kubectl / kube versions)

Copy link
Contributor Author

@pglass pglass Jul 27, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, there is helm template --kube-version.

$ helm template -h | grep kube-version
      --kube-version string                        Kubernetes version used for Capabilities.KubeVersion

I'll add a unit test which uses --kube-version to validate this. edit: Done!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pglass added OpenShift versions here for future reference: hashicorp/consul#18307

*/}}
{{- if (or (not .Values.global.openshift.enabled) (and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "24"))) -}}
securityContext:
allowPrivilegeEscalation: false
capabilities:
Expand All @@ -25,11 +40,12 @@ securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- end -}}
{{- if not .Values.global.openshift.enabled -}}
{{/*
We must set runAsUser or else the root user will be used in some cases and
containers will fail to start due to runAsNonRoot above (e.g.
tls-init-cleanup). On OpenShift, runAsUser is automatically. We pick user 100
tls-init-cleanup). On OpenShift, runAsUser is set automatically. We pick user 100
because it is a non-root user id that exists in the consul, consul-dataplane,
and consul-k8s-control-plane images.
*/}}
Expand Down
18 changes: 17 additions & 1 deletion charts/consul/test/unit/server-statefulset.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -846,9 +846,11 @@ load _helpers
#--------------------------------------------------------------------
# global.openshift.enabled

@test "server/StatefulSet: restricted container securityContexts are set when global.openshift.enabled=true" {
@test "server/StatefulSet: restricted container securityContexts are set when global.openshift.enabled=true on OpenShift >= 4.11" {
cd `chart_dir`
# OpenShift 4.11 == Kube 1.24
local manifest=$(helm template \
--kube-version '1.24' \
-s templates/server-statefulset.yaml \
--set 'global.openshift.enabled=true' \
. | tee /dev/stderr)
Expand All @@ -870,6 +872,20 @@ load _helpers
[ "$equal" == "true" ]
}

@test "server/StatefulSet: restricted container securityContexts are not set when global.openshift.enabled=true on OpenShift < 4.11" {
cd `chart_dir`
# OpenShift 4.11 == Kube 1.24
local manifest=$(helm template \
--kube-version '1.23' \
-s templates/server-statefulset.yaml \
--set 'global.openshift.enabled=true' \
. | tee /dev/stderr)

# Check consul container
local actual=$(echo "$manifest" | yq -r '.spec.template.spec.containers | map(select(.name == "consul")) | .[0].securityContext')
[ "$actual" == "null" ]
}

#--------------------------------------------------------------------
# global.openshift.enabled = false

Expand Down