Skip to content

Commit

Permalink
set user group and user id for the default SecurityContext (envoyprox…
Browse files Browse the repository at this point in the history 
…y#4313)

set user group and user id

Signed-off-by: Huabing Zhao <[email protected]>
  • Loading branch information
@zhaohuabing
zhaohuabing authored Sep 24, 2024
1 parent 7dfa857 commit bd966b8
Show file tree
Hide file tree
Showing 46 changed files with 154 additions and 0 deletions.
2 changes: 2 additions & 0 deletions charts/gateway-helm/templates/envoy-gateway-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,8 @@ spec:
- ALL
privileged: false
runAsNonRoot: true
runAsGroup: 65532
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
volumeMounts:
Expand Down
10 changes: 10 additions & 0 deletions internal/infrastructure/kubernetes/proxy/resource.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -447,13 +447,23 @@ func expectedEnvoySecurityContext(containerSpec *egv1a1.KubernetesContainerSpec)
}

sc := resource.DefaultSecurityContext()

// run as non-root user
sc.RunAsGroup = ptr.To(int64(65532))
sc.RunAsUser = ptr.To(int64(65532))

// Envoy container needs to write to the log file/UDS socket.
sc.ReadOnlyRootFilesystem = nil
return sc
}

func expectedShutdownManagerSecurityContext() *corev1.SecurityContext {
sc := resource.DefaultSecurityContext()

// run as non-root user
sc.RunAsGroup = ptr.To(int64(65532))
sc.RunAsUser = ptr.To(int64(65532))

// ShutdownManger creates a file to indicate the connection drain process is completed,
// so it needs file write permission.
sc.ReadOnlyRootFilesystem = nil
Expand Down
4 changes: 4 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down Expand Up @@ -168,7 +170,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
2 changes: 2 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -347,7 +347,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
2 changes: 2 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -346,7 +346,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
4 changes: 4 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down Expand Up @@ -335,7 +337,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
4 changes: 4 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down Expand Up @@ -306,7 +308,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
2 changes: 2 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -350,7 +350,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
4 changes: 4 additions & 0 deletions .../infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -270,7 +270,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down Expand Up @@ -344,7 +346,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
4 changes: 4 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down Expand Up @@ -335,7 +337,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
3 changes: 3 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down Expand Up @@ -345,6 +347,7 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 1234
seccompProfile:
Expand Down
2 changes: 2 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -350,7 +350,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
4 changes: 4 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -266,7 +266,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down Expand Up @@ -340,7 +342,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
4 changes: 4 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down Expand Up @@ -168,7 +170,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
4 changes: 4 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -263,7 +263,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down Expand Up @@ -337,7 +339,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
4 changes: 4 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down Expand Up @@ -335,7 +337,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
4 changes: 4 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down Expand Up @@ -335,7 +337,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
4 changes: 4 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down Expand Up @@ -335,7 +337,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
4 changes: 4 additions & 0 deletions ...infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down Expand Up @@ -335,7 +337,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
4 changes: 4 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down Expand Up @@ -171,7 +173,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
4 changes: 4 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down Expand Up @@ -172,7 +174,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
2 changes: 2 additions & 0 deletions internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -352,7 +352,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
2 changes: 2 additions & 0 deletions ...rnal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -354,7 +354,9 @@ spec:
drop:
- ALL
privileged: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down
Loading

0 comments on commit bd966b8

Please sign in to comment.