backport of commit 965b2f7

hashicorp · Aug 7, 2023 · 0f2eaac · 0f2eaac
1 parent 103bee3
commit 0f2eaac
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 9 deletions.
diff --git a/charts/consul/templates/api-gateway-securitycontextconstraints.yaml b/charts/consul/templates/api-gateway-securitycontextconstraints.yaml
@@ -39,4 +39,5 @@ seLinuxContext:
 supplementalGroups:
   type: MustRunAs
 users: []
+volumes: []
 {{- end }}
diff --git a/charts/consul/templates/connect-inject-clusterrole.yaml b/charts/consul/templates/connect-inject-clusterrole.yaml
@@ -169,7 +169,7 @@ rules:
   resources:
   - securitycontextconstraints
   resourceNames:
-  - privileged
+  - {{ template "consul.fullname" . }}-api-gateway
   verbs:
   - use
 {{- end }}

diff --git a/control-plane/api-gateway/gatekeeper/init.go b/control-plane/api-gateway/gatekeeper/init.go
@@ -168,14 +168,17 @@ func initContainer(config common.HelmConfig, name, namespace string) (corev1.Con
 			})
 	}
 
-	container.SecurityContext = &corev1.SecurityContext{
-		RunAsUser:    pointer.Int64(initContainersUserAndGroupID),
-		RunAsGroup:   pointer.Int64(initContainersUserAndGroupID),
-		RunAsNonRoot: pointer.Bool(true),
-		Privileged:   pointer.Bool(false),
-		Capabilities: &corev1.Capabilities{
-			Drop: []corev1.Capability{"ALL"},
-		},
+	// Openshift Assigns the security context for us, do not enable if it is enabled.
+	if !config.EnableOpenShift {
+		container.SecurityContext = &corev1.SecurityContext{
+			RunAsUser:    pointer.Int64(initContainersUserAndGroupID),
+			RunAsGroup:   pointer.Int64(initContainersUserAndGroupID),
+			RunAsNonRoot: pointer.Bool(true),
+			Privileged:   pointer.Bool(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
+		}
 	}
 
 	return container, nil