Skip to content
This repository has been archived by the owner on Nov 25, 2024. It is now read-only.

Commit

Permalink
Merge pull request #26 from qpoint-io/marc-barry/privileged
Browse files Browse the repository at this point in the history
Allow for setting security context settings on the init container.
  • Loading branch information
marc-barry authored Feb 22, 2024
2 parents af0c12e + c6b131f commit 6d9b56d
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 10 deletions.
49 changes: 39 additions & 10 deletions api/v1/egress.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,6 @@ import (
const INIT_IMAGE = "us-docker.pkg.dev/qpoint-edge/public/kubernetes-qtap-init"
const QTAP_IMAGE = "us-docker.pkg.dev/qpoint-edge/public/qtap"

var (
ROOT_USER int64 = 0 // The root user
ROOT_GROUP int64 = 0 // The root group
RUN_AS_NON_ROOT = false
)

func MutateEgress(pod *corev1.Pod, config *Config) error {
// fetch the init image tag
tag := config.GetAnnotation("qtap-init-tag")
Expand All @@ -36,13 +30,48 @@ func MutateEgress(pod *corev1.Pod, config *Config) error {
Add: []corev1.Capability{"NET_ADMIN"},
},
// The init container needs to run as root as it modifies the network
// for the pod
RunAsUser: &ROOT_USER,
RunAsGroup: &ROOT_GROUP,
RunAsNonRoot: &RUN_AS_NON_ROOT, // Allow running as root
// for the pod. Sometimes it also requires privileged depending on the
// security within the cluster. See annotations below which allow for
// setting the running user and group and other settings.
},
}

// SecurityContext RunAsUser
if runAsUser := config.GetAnnotation("qtap-init-run-as-user"); runAsUser != "" {
i, err := strconv.ParseInt(runAsUser, 10, 64)
if err != nil {
return fmt.Errorf("conversion error: %w", err)
}
initContainer.SecurityContext.RunAsUser = &i
}

// SecurityContext RunAsGroup
if runAsGroup := config.GetAnnotation("qtap-init-run-as-group"); runAsGroup != "" {
i, err := strconv.ParseInt(runAsGroup, 10, 64)
if err != nil {
return fmt.Errorf("conversion error: %w", err)
}
initContainer.SecurityContext.RunAsGroup = &i
}

// SecurityContext RunAsNonRoot
if runAsNonRoot := config.GetAnnotation("qtap-init-run-as-non-root"); runAsNonRoot != "" {
b, err := strconv.ParseBool(runAsNonRoot)
if err != nil {
return fmt.Errorf("conversion error: %w", err)
}
initContainer.SecurityContext.RunAsNonRoot = &b
}

// SecurityContext Privileged
if privileged := config.GetAnnotation("qtap-init-run-as-privileged"); privileged != "" {
b, err := strconv.ParseBool(privileged)
if err != nil {
return fmt.Errorf("conversion error: %w", err)
}
initContainer.SecurityContext.Privileged = &b
}

// TO_ADDR
if toAddr := config.GetAnnotation("qtap-init-egress-to-addr"); toAddr != "" {
initContainer.Env = append(initContainer.Env, corev1.EnvVar{
Expand Down
4 changes: 4 additions & 0 deletions config/webhook/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ data:
annotations.yaml: |
qpoint.io/inject-ca: "true"
qpoint.io/qtap-init-tag: "v0.0.8"
qpoint.io/qtap-init-run-as-user: "0"
qpoint.io/qtap-init-run-as-group: "0"
qpoint.io/qtap-init-run-as-non-root: "false"
qpoint.io/qtap-init-run-as-privileged: "false"
qpoint.io/qtap-tag: "v0.0.15"
qpoint.io/qtap-init-egress-port-mapping: "10080:80,10443:443"
qpoint.io/qtap-init-egress-accept-uids: "1010"
Expand Down

0 comments on commit 6d9b56d

Please sign in to comment.