Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NET-5947 Add NET_BIND_SERVICE capability in security context for api-gateway pod on OpenShift #3070

Merged
merged 6 commits into from
Oct 12, 2023
Merged

NET-5947 Add NET_BIND_SERVICE capability in security context for api-gateway pod on OpenShift #3070

merged 6 commits into from
Oct 12, 2023

Conversation

nathancoleman
Copy link
Member

@nathancoleman nathancoleman commented Oct 11, 2023
edited
Loading

Why this change is needed:
This capability became a requirement for consul-dataplane, which api-gateway uses under the hood, as of hashicorp/consul-dataplane#238. Since the securityContext created for each consul-dataplane Pod was not requesting the NET_BIND_SERVICE capability specifically when deploying onto OpenShift, it was not being granted, and the Pod was failing to start with a permission denied error.

Changes proposed in this PR:

  • Always add required NET_BIND_SERVICE capability to the securityContext for each api-gateway Pod

How I've tested this PR:

  • Added unit test coverage verifying securityContext is always set appropriately on Pod
  • @missylbytes tested it live on OpenShift 4.11 and 4.12 clusters, verifying that the Pod starts up correctly now

How I expect reviewers to test this PR:

  • 🤖 tests passing

Checklist:

@nathancoleman nathancoleman added theme/openshift theme/api-gateway Related to Consul API Gateway backport/1.2.x This release branch is no longer active. labels Oct 11, 2023
@nathancoleman nathancoleman changed the title Add NET_BIND_SERVICE capability in security context for api-gateway p… Add NET_BIND_SERVICE capability in security context for api-gateway pod Oct 11, 2023
@nathancoleman nathancoleman marked this pull request as ready for review October 12, 2023 15:33
nathancoleman
nathancoleman commented Oct 12, 2023
View reviewed changes
.changelog/3070.txt Outdated Show resolved Hide resolved
@curtbushko curtbushko self-requested a review October 12, 2023 15:45
curtbushko
curtbushko approved these changes Oct 12, 2023
View reviewed changes
Copy link
Contributor

@curtbushko curtbushko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't really like it but I understand why it is needed. Approve!

@nathancoleman nathancoleman changed the title Add NET_BIND_SERVICE capability in security context for api-gateway pod Add NET_BIND_SERVICE capability in security context for api-gateway pod on OpenShift Oct 12, 2023
@nathancoleman nathancoleman changed the title Add NET_BIND_SERVICE capability in security context for api-gateway pod on OpenShift NET-5947 Add NET_BIND_SERVICE capability in security context for api-gateway pod on OpenShift Oct 12, 2023
nathancoleman
nathancoleman commented Oct 12, 2023
View reviewed changes
control-plane/api-gateway/gatekeeper/dataplane.go
@@ -19,7 +18,7 @@ import (
)

const (
allCapabilities = "all"
allCapabilities = "ALL"
Copy link
Member Author

@nathancoleman nathancoleman Oct 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was causing an odd merge when the OpenShift controller added ALL alongside our all since they're not equal strings, resulting in

drop:
- ALL
- all

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed:
image

@nathancoleman nathancoleman merged commit d2d6125 into main Oct 12, 2023
36 of 48 checks passed
@nathancoleman nathancoleman deleted the api-gateway-net-bind-service branch October 12, 2023 20:20
@hc-github-team-consul-core hc-github-team-consul-core mentioned this pull request Oct 12, 2023
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@t-eckert t-eckert t-eckert approved these changes

@missylbytes missylbytes missylbytes approved these changes

@curtbushko curtbushko curtbushko approved these changes

Assignees
No one assigned
Labels
backport/1.2.x This release branch is no longer active. theme/api-gateway Related to Consul API Gateway theme/openshift
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nathancoleman @curtbushko @missylbytes @t-eckert