Merge pull request #15 from netfoundry/sidecar-security-context2

Sidecar security context2
netfoundry · Nov 19, 2024 · ae748de · ae748de
2 parents 293b095 + e6ecbb6
commit ae748de
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 14 deletions.
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -617,6 +617,8 @@ jobs:
           do
             curl -s -X GET http://productpage.ziti:9080/productpage?u=test | grep reviews >> testcase_curl_output.log
           done
+          cat testcase_curl_output.log
+          cat testcase_pods.log
           test/verify_test_results.py
           kubectl logs `kubectl get pods -n ziti --context  $AWS_CLUSTER -o name | grep ziti-admission-wh` -n ziti --context  $AWS_CLUSTER
           kubectl logs `kubectl get pods -n ziti --context  $GKE_CLUSTER -o name | grep ziti-admission-wh` -n ziti --context  $GKE_CLUSTER
@@ -647,6 +649,8 @@ jobs:
           do
             curl -s -X GET http://productpage.ziti:9080/productpage?u=test | grep reviews >> testcase_curl_output.log
           done
+          cat testcase_curl_output.log
+          cat testcase_pods.log
           test/verify_test_results.py
           kubectl logs `kubectl get pods -n ziti --context  $AWS_CLUSTER -o name | grep ziti-admission-wh` -n ziti --context  $AWS_CLUSTER
           kubectl logs `kubectl get pods -n ziti --context  $GKE_CLUSTER -o name | grep ziti-admission-wh` -n ziti --context  $GKE_CLUSTER

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,22 @@
+# Changelog
+
+All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+
+## [0.1.1] - 2024-09-27
+
+- Updated the security context of the sidecar container
+
+  ```shell
+  Capabilities: &corev1.Capabilities{
+    Add:  []corev1.Capability{"NET_ADMIN", "NET_BIND_SERVICE"},
+    Drop: []corev1.Capability{"ALL"},
+  },
+  RunAsUser:  &rootUser, (deafault = true)
+  Privileged: &isPrivileged, (default = false)
+  ```
+
+## [0.1.0] - 2024-08-08
+
+- Added initial code.
+
diff --git a/ziti-agent/cmd/common/version.go b/ziti-agent/cmd/common/version.go
@@ -6,7 +6,7 @@ import (
 	"github.com/spf13/cobra"
 )
 
-var Version = "0.1.0"
+var Version = "0.1.1"
 
 func NewVersionCmd() *cobra.Command {
 	return &cobra.Command{

diff --git a/ziti-agent/cmd/webhook/pods.go b/ziti-agent/cmd/webhook/pods.go
@@ -12,12 +12,12 @@ import (
 	k "github.com/netfoundry/ziti-k8s-agent/ziti-agent/kubernetes"
 	ze "github.com/netfoundry/ziti-k8s-agent/ziti-agent/ziti-edge"
 
-	"github.com/google/uuid"
 	"github.com/openziti/edge-api/rest_management_api_client"
 	"github.com/openziti/sdk-golang/ziti"
 	admissionv1 "k8s.io/api/admission/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/klog/v2"
 )
 
@@ -71,7 +71,7 @@ func zitiTunnel(ar admissionv1.AdmissionReview) *admissionv1.AdmissionResponse {
 			return failureResponse(reviewResponse, err)
 		}
 
-		identityCfg, sidecarIdentityName, err := createAndEnrollIdentity(pod.Labels["app"], roles, zec)
+		identityCfg, sidecarIdentityName, err := createAndEnrollIdentity(pod.Labels["app"], ar.Request.UID, roles, zec)
 		if identityCfg == nil {
 			return failureResponse(reviewResponse, err)
 		}
@@ -146,17 +146,26 @@ func zitiTunnel(ar admissionv1.AdmissionReview) *admissionv1.AdmissionResponse {
 		var patch []JsonPatchEntry
 		var rootUser int64 = 0
 		var isNotTrue bool = false
+		var isPrivileged = false
 		var sidecarSecurityContext *corev1.SecurityContext
 
 		sidecarSecurityContext = &corev1.SecurityContext{
-			Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"NET_ADMIN"}},
+			Capabilities: &corev1.Capabilities{
+				Add:  []corev1.Capability{"NET_ADMIN", "NET_BIND_SERVICE"},
+				Drop: []corev1.Capability{"ALL"},
+			},
+			RunAsUser:  &rootUser,
+			Privileged: &isPrivileged,
 		}
 
 		if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.RunAsUser != nil {
-			// run sidecar as root
 			sidecarSecurityContext = &corev1.SecurityContext{
-				Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"NET_ADMIN"}},
-				RunAsUser:    &rootUser,
+				Capabilities: &corev1.Capabilities{
+					Add:  []corev1.Capability{"NET_ADMIN", "NET_BIND_SERVICE"},
+					Drop: []corev1.Capability{"ALL"},
+				},
+				RunAsUser:  &rootUser,
+				Privileged: &isPrivileged,
 			}
 		}
 
@@ -328,13 +337,9 @@ func hasContainer(containers []corev1.Container, containerName string) (string,
 	return "", false
 }
 
-func createSidecarIdentityName(appName string) string {
-	id, _ := uuid.NewV7()
-	return fmt.Sprintf("%s-%s%s", trimString(appName), sidecarPrefix, id)
-}
+func createAndEnrollIdentity(name string, uid types.UID, roles []string, zec *rest_management_api_client.ZitiEdgeManagement) (*ziti.Config, string, error) {
 
-func createAndEnrollIdentity(name string, roles []string, zec *rest_management_api_client.ZitiEdgeManagement) (*ziti.Config, string, error) {
-	identityName := createSidecarIdentityName(name)
+	identityName := fmt.Sprintf("%s-%s%s", trimString(name), sidecarPrefix, uid)
 
 	identityDetails, err := ze.CreateIdentity(identityName, roles, "Device", zec)
 	if err != nil {

diff --git a/ziti-agent/cmd/webhook/webhook.go b/ziti-agent/cmd/webhook/webhook.go
@@ -92,7 +92,7 @@ func serve(w http.ResponseWriter, r *http.Request, admit admitHandler) {
 		responseAdmissionReview.Response.UID = requestedAdmissionReview.Request.UID
 		responseObj = responseAdmissionReview
 
-		klog.Infof(fmt.Sprintf("Admission Response v1: %s", responseObj))
+		klog.Infof(fmt.Sprintf("Admission Response UID: %s", responseAdmissionReview.Response.UID))
 
 	case admissionv1.SchemeGroupVersion.WithKind("AdmissionReview"):
 		requestedAdmissionReview, ok := obj.(*admissionv1.AdmissionReview)