Skip to content

Commit

Permalink
[release-1.4] Add all securityContext fields in injected containers (i…
Browse files Browse the repository at this point in the history 
…stio#19832)

* Add all securityContext fields in injected containers

Fixes istio#17318

* Update injection unit tests

Co-authored-by: Romain Lenglet <[email protected]>
  • Loading branch information
@istio-testing @rlenglet
istio-testing and rlenglet committed Dec 28, 2019
1 parent 7fe9629 commit 0130466
Show file tree
Hide file tree
Showing 86 changed files with 1,306 additions and 21 deletions.
49 changes: 31 additions & 18 deletions install/kubernetes/helm/istio/files/injection-template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,14 +43,18 @@ initContainers:
resources: {}
{{- end }}
securityContext:
runAsUser: 0
runAsNonRoot: false
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
capabilities:
add:
- NET_ADMIN
{{- if .Values.global.proxy.privileged }}
privileged: true
{{- end }}
- NET_RAW
drop:
- ALL
privileged: {{ .Values.global.proxy.privileged }}
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
restartPolicy: Always
{{- end }}
{{ end -}}
Expand All @@ -65,9 +69,17 @@ initContainers:
imagePullPolicy: IfNotPresent
resources: {}
securityContext:
runAsUser: 0
runAsNonRoot: false
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
drop:
- ALL
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{ end }}
{{- end }}
containers:
Expand Down Expand Up @@ -288,21 +300,22 @@ containers:
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
{{ end -}}
securityContext:
{{- if .Values.global.proxy.privileged }}
privileged: true
{{- end }}
{{- if ne .Values.global.proxy.enableCoreDump true }}
readOnlyRootFilesystem: true
{{- end }}
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
capabilities:
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
add:
- NET_ADMIN
{{- end }}
drop:
- ALL
privileged: {{ .Values.global.proxy.privileged }}
readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}
runAsGroup: 1337
{{ else -}}
{{ if .Values.global.sds.enabled }}
runAsGroup: 1337
{{- end }}
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
runAsNonRoot: false
runAsUser: 0
{{- else -}}
runAsNonRoot: true
runAsUser: 1337
{{- end }}
resources:
Expand Down
15 changes: 15 additions & 0 deletions istioctl/cmd/testdata/uninject/cronjob-with-app.yaml.injected
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,14 @@ spec:
cpu: 10m
memory: 30Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
Expand Down Expand Up @@ -110,9 +116,18 @@ spec:
name: istio-init
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
restartPolicy: OnFailure
volumes:
- emptyDir:
Expand Down
14 changes: 14 additions & 0 deletions istioctl/cmd/testdata/uninject/cronjob.yaml.injected
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,14 @@ spec:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
Expand Down Expand Up @@ -137,9 +144,16 @@ spec:
cpu: 10m
memory: 10Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
restartPolicy: OnFailure
Expand Down
14 changes: 14 additions & 0 deletions istioctl/cmd/testdata/uninject/daemonset.yaml.injected
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,14 @@ spec:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
Expand Down Expand Up @@ -142,9 +149,16 @@ spec:
cpu: 10m
memory: 10Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
volumes:
Expand Down
14 changes: 14 additions & 0 deletions istioctl/cmd/testdata/uninject/deploymentconfig-multi.yaml.injected
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,14 @@ items:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
Expand Down Expand Up @@ -161,9 +168,16 @@ items:
cpu: 10m
memory: 10Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
volumes:
Expand Down
14 changes: 14 additions & 0 deletions istioctl/cmd/testdata/uninject/deploymentconfig.yaml.injected
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,14 @@ spec:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
Expand Down Expand Up @@ -146,9 +153,16 @@ spec:
cpu: 10m
memory: 10Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
volumes:
Expand Down
23 changes: 23 additions & 0 deletions istioctl/cmd/testdata/uninject/enable-core-dump.yaml.injected
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,14 @@ spec:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
Expand Down Expand Up @@ -146,9 +154,16 @@ spec:
cpu: 10m
memory: 10Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
- args:
Expand All @@ -161,7 +176,15 @@ spec:
name: enable-core-dump
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
drop:
- ALL
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
volumes:
Expand Down
14 changes: 14 additions & 0 deletions istioctl/cmd/testdata/uninject/job.yaml.injected
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,14 @@ spec:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
Expand Down Expand Up @@ -135,9 +142,16 @@ spec:
cpu: 10m
memory: 10Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
restartPolicy: Never
Expand Down
27 changes: 27 additions & 0 deletions istioctl/cmd/testdata/uninject/list.yaml.injected
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,14 @@ items:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
Expand Down Expand Up @@ -156,9 +163,16 @@ items:
cpu: 10m
memory: 10Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
volumes:
Expand Down Expand Up @@ -291,7 +305,14 @@ items:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
Expand Down Expand Up @@ -326,9 +347,15 @@ items:
cpu: 10m
memory: 10Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
volumes:
Expand Down
Loading

0 comments on commit 0130466

Please sign in to comment.