added template for scc name for easier testing, may or may not leave …

…in and make better
hashicorp · Aug 7, 2023 · 78aa9ce · 78aa9ce
1 parent 67ba54d
commit 78aa9ce
Show file tree

Hide file tree

Showing 6 changed files with 28 additions and 11 deletions.
diff --git a/charts/consul/templates/api-gateway-securitycontextconstraints.yaml b/charts/consul/templates/api-gateway-securitycontextconstraints.yaml
@@ -13,28 +13,30 @@ metadata:
   annotations:
     kubernetes.io/description: {{ template "consul.fullname" . }}-api-gateway are the security context constraints required
       to run api-gateways. All api-gateways will reference this single SecurityContextConstraints resource.
-allowHostPorts: true
 allowHostDirVolumePlugin: false
 allowHostIPC: false
+allowHostNetwork: {{ .Values.client.hostNetwork }}
 allowHostPID: false
-allowHostNetwork: false
+allowHostPorts: true
 allowPrivilegeEscalation: true
-allowPrivilegedContainer: true
-allowedCapabilities:
-  - '*'
+allowPrivilegedContainer: false
+allowedCapabilities: null
 defaultAddCapabilities: null
 fsGroup:
   type: MustRunAs
 groups: []
 priority: null
 readOnlyRootFilesystem: false
 requiredDropCapabilities:
+  - KILL
+  - MKNOD
+  - SETUID
+  - SETGID
 runAsUser:
-  type: RunAsAny
+  type: MustRunAsRange
 seLinuxContext:
   type: MustRunAs
 supplementalGroups:
   type: MustRunAs
-users:
-  - system:serviceaccount:consul:consul-consul-gateway-resources
-{{- end -}}
+users: []
+{{- end }}
diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml
@@ -161,6 +161,11 @@ spec:
                 {{- if .Values.global.openshift.enabled }}
                 -enable-openshift \
                 {{- end }}
+                {{- if ne .Values.connectInject.apiGateway.openshiftSccName ""}}
+                -openshift-scc-name={{ .Values.connectInject.apiGateway.openshiftSccName }} \
+                {{- else }}
+                -openshift-scc-name={{ template "consul.fullname" . }}-api-gateway \
+                {{- end }}
                 {{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }}
                 -transparent-proxy-default-overwrite-probes=true \
                 {{- else }}

diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
@@ -2226,6 +2226,8 @@ connectInject:
         memory: "100Mi"
         cpu: "100m"
 
+    openshiftSccName: ""
+
   # Configures consul-cni plugin for Consul Service mesh services
   cni:
     # If true, then all traffic redirection setup uses the consul-cni plugin.

diff --git a/control-plane/api-gateway/common/helm_config.go b/control-plane/api-gateway/common/helm_config.go
@@ -35,6 +35,10 @@ type HelmConfig struct {
 	// and should create SecurityContextConstraints.
 	EnableOpenShift bool
 
+	// OpenshiftSCCName allows the user to specify which security context they
+	// would like to run their gateways with. This defaults to
+	OpenshiftSCCName string
+
 	// ReleaseName indicates the name of the release for the Helm installation. This value is used
 	// as a prefix for some resources - SecurityContextConstraints, for example - so it must be known.
 	ReleaseName string

diff --git a/control-plane/api-gateway/gatekeeper/role.go b/control-plane/api-gateway/gatekeeper/role.go
@@ -87,7 +87,7 @@ func (g *Gatekeeper) role(gateway gwv1beta1.Gateway, gcc v1alpha1.GatewayClassCo
 			// TODO(nathancoleman) Consider accepting an explicit SCC name. This will make the code
 			//   here less brittle and allow for the user to provide their own SCC if they wish.
 			//ResourceNames: []string{config.ReleaseName + "-api-gateway"},
-			ResourceNames: []string{"privileged"},
+			ResourceNames: []string{config.OpenshiftSCCName},
 			Verbs:         []string{"use"},
 		})
 	}

diff --git a/control-plane/subcommand/inject-connect/command.go b/control-plane/subcommand/inject-connect/command.go
@@ -134,7 +134,8 @@ type Command struct {
 	flagEnableConsulDNS bool
 	flagResourcePrefix  string
 
-	flagEnableOpenShift bool
+	flagEnableOpenShift  bool
+	flagOpenshiftSCCName string
 
 	flagSet *flag.FlagSet
 	consul  *flags.ConsulFlags
@@ -211,6 +212,8 @@ func (c *Command) init() {
 		"Release prefix of the Consul installation used to determine Consul DNS Service name.")
 	c.flagSet.BoolVar(&c.flagEnableOpenShift, "enable-openshift", false,
 		"Indicates that the command runs in an OpenShift cluster.")
+	c.flagSet.StringVar(&c.flagOpenshiftSCCName, "openshift-scc-name", "",
+		"Name of security context constraint to use for gateways on Openshift")
 	c.flagSet.BoolVar(&c.flagEnableWebhookCAUpdate, "enable-webhook-ca-update", false,
 		"Enables updating the CABundle on the webhook within this controller rather than using the web cert manager.")
 	c.flagSet.BoolVar(&c.flagEnableAutoEncrypt, "enable-auto-encrypt", false,
@@ -532,6 +535,7 @@ func (c *Command) Run(args []string) int {
 			ConsulPartition:            c.consul.Partition,
 			ConsulCACert:               string(caCertPem),
 			ReleaseName:                c.flagReleaseName,
+			OpenshiftSCCName:           c.flagOpenshiftSCCName,
 		},
 		AllowK8sNamespacesSet:   allowK8sNamespaces,
 		DenyK8sNamespacesSet:    denyK8sNamespaces,