Didn't reorg the dataplane sidecar in the webhook correctly

hashicorp · Jun 26, 2024 · bfe7be8 · bfe7be8
1 parent e20ff5b
commit bfe7be8
Showing 1 changed file with 28 additions and 29 deletions.
diff --git a/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go b/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go
@@ -214,16 +214,15 @@ func (w *MeshWebhook) consulDataplaneSidecar(
 		return corev1.Container{}, err
 	}
 
+	// Default values for non-Openshift environments.
+	uid := int64(sidecarUserAndGroupID)
+	group := int64(sidecarUserAndGroupID)
+
 	// If not running in transparent proxy mode and in an OpenShift environment,
 	// skip setting the security context and let OpenShift set it for us.
 	// When transparent proxy is enabled, then consul-dataplane needs to run as our specific user
 	// so that traffic redirection will work.
 	if tproxyEnabled || !w.EnableOpenShift {
-
-		// Default values for non-Openshift environments.
-		uid := int64(sidecarUserAndGroupID)
-		group := int64(sidecarUserAndGroupID)
-
 		if !w.EnableOpenShift {
 			if pod.Spec.SecurityContext != nil {
 				// User container and consul-dataplane container cannot have the same UID.
@@ -250,34 +249,34 @@ func (w *MeshWebhook) consulDataplaneSidecar(
 				}
 			}
 		}
+	}
 
-		if w.EnableOpenShift {
-			// Transparent proxy is set in OpenShift. There is an annotation on the namespace that tells us what
-			// the user and group ids should be for the sidecar.
-			var err error
-			uid, err = common.GetOpenShiftUID(&namespace)
-			if err != nil {
-				return corev1.Container{}, err
-			}
-			group, err = common.GetOpenShiftGroup(&namespace)
-			if err != nil {
-				return corev1.Container{}, err
-			}
+	if w.EnableOpenShift {
+		// Transparent proxy is set in OpenShift. There is an annotation on the namespace that tells us what
+		// the user and group ids should be for the sidecar.
+		var err error
+		uid, err = common.GetOpenShiftUID(&namespace)
+		if err != nil {
+			return corev1.Container{}, err
 		}
-
-		container.SecurityContext = &corev1.SecurityContext{
-			RunAsUser:                pointer.Int64(uid),
-			RunAsGroup:               pointer.Int64(group),
-			RunAsNonRoot:             pointer.Bool(true),
-			AllowPrivilegeEscalation: pointer.Bool(false),
-			// consul-dataplane requires the NET_BIND_SERVICE capability regardless of binding port #.
-			// See https://developer.hashicorp.com/consul/docs/connect/dataplane#technical-constraints
-			Capabilities: &corev1.Capabilities{
-				Add: []corev1.Capability{"NET_BIND_SERVICE"},
-			},
-			ReadOnlyRootFilesystem: pointer.Bool(true),
+		group, err = common.GetOpenShiftGroup(&namespace)
+		if err != nil {
+			return corev1.Container{}, err
 		}
 	}
+
+	container.SecurityContext = &corev1.SecurityContext{
+		RunAsUser:                pointer.Int64(uid),
+		RunAsGroup:               pointer.Int64(group),
+		RunAsNonRoot:             pointer.Bool(true),
+		AllowPrivilegeEscalation: pointer.Bool(false),
+		// consul-dataplane requires the NET_BIND_SERVICE capability regardless of binding port #.
+		// See https://developer.hashicorp.com/consul/docs/connect/dataplane#technical-constraints
+		Capabilities: &corev1.Capabilities{
+			Add: []corev1.Capability{"NET_BIND_SERVICE"},
+		},
+		ReadOnlyRootFilesystem: pointer.Bool(true),
+	}
 	return container, nil
 }