From 60298329ff2534dfc7f4d5eec68021180e47d2db Mon Sep 17 00:00:00 2001 From: Marc Barry <4965634+marc-barry@users.noreply.github.com> Date: Mon, 4 Dec 2023 10:30:43 -0500 Subject: [PATCH] Set security context run as user and group from pod annotations. --- api/v1/config.go | 3 +-- api/v1/egress.go | 39 +++++++++++++++++++++++++++++++++++ config/webhook/configmap.yaml | 2 ++ 3 files changed, 42 insertions(+), 2 deletions(-) diff --git a/api/v1/config.go b/api/v1/config.go index 0fc743b..9c9dbcf 100644 --- a/api/v1/config.go +++ b/api/v1/config.go @@ -30,8 +30,7 @@ type Config struct { OperatorNamespace string Client client.Client Ctx context.Context - - annotations map[string]string + annotations map[string]string } // Config scenarios: diff --git a/api/v1/egress.go b/api/v1/egress.go index 4a80f17..0286438 100644 --- a/api/v1/egress.go +++ b/api/v1/egress.go @@ -2,6 +2,8 @@ package v1 import ( "fmt" + "math" + "strconv" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/intstr" @@ -108,6 +110,42 @@ func MutateInjection(pod *corev1.Pod, config *Config) error { // fetch the init image tag tag := config.GetAnnotation("qtap-tag") + // maintains the default of a nil security context (which is equivalent to accepting the pod setting) + var securityContext *corev1.SecurityContext = nil + + // if the UID and/or GID annotations were set then try to convert them to the correct format for the security context + if uid, gid := config.GetAnnotation("qtap-uid"), config.GetAnnotation("qtap-gid"); uid != "" || gid != "" { + var qtapUid int64 = math.MinInt64 // this isn't a permitted UID value and so it is used as not set + var qtapGid int64 = math.MinInt64 // this isn't a permitted GID value and so it is used as not set + + if uid != "" { + if n, err := strconv.ParseInt(uid, 10, 64); err == nil { + qtapUid = n + } + } + if gid != "" { + if n, err := strconv.ParseInt(gid, 10, 64); err == nil { + qtapGid = n + } + } + + // If a UID was set via annotations we need a security context for the container with the UID + // and/or GID + if qtapUid != math.MinInt64 || qtapGid != math.MinInt64 { + securityContext = &corev1.SecurityContext{} // create empty security context + + // the UID was set, set RunAsUser + if qtapUid != math.MinInt64 { + securityContext.RunAsUser = &qtapUid + } + + // the GID was set, set RunAsGroup + if qtapGid != math.MinInt64 { + securityContext.RunAsGroup = &qtapGid + } + } + } + // create an init container qtapContainer := corev1.Container{ Name: "qtap", @@ -119,6 +157,7 @@ func MutateInjection(pod *corev1.Pod, config *Config) error { Value: token, }, }, + SecurityContext: securityContext, StartupProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ diff --git a/config/webhook/configmap.yaml b/config/webhook/configmap.yaml index a1db2c1..2ef0dec 100644 --- a/config/webhook/configmap.yaml +++ b/config/webhook/configmap.yaml @@ -24,3 +24,5 @@ data: qpoint.io/log-level: "info" qpoint.io/block-unknown: "false" qpoint.io/dns-lookup-family: "V4_ONLY" + qpoint.io/qtap-uid: "1010" + qpoint.io/qtap-gid: "1010"