fix cni security contexts

waynz0r · waynz0r · commit 214c5c8a5af9 · 2022-02-02T15:22:43.000+01:00
diff --git a/internal/assets/manifests/istio-cni/templates/daemonset.yaml b/internal/assets/manifests/istio-cni/templates/daemonset.yaml
@@ -111,6 +111,7 @@ spec:
               name: cni-log-dir
 {{ include "toYamlIf" (dict "value" .Values.cni.volumeMounts) | indent 12 }}
 {{ include "toYamlIf" (dict "value" .Values.cni.resources "key" "resources" "indent" 2) | indent 10 }}
+{{ include "toYamlIf" (dict "value" .Values.cni.securityContext "key" "securityContext" "indent" 2) | indent 10 }}
 {{- if .Values.cni.taint.enabled }}
         - name: taint-controller
 {{- include "dockerImage" (dict "image" .Values.cni.taint.image "hub" .Values.global.hub "tag" .Values.global.tag) | indent 10 -}}
diff --git a/internal/assets/manifests/istio-cni/values.yaml b/internal/assets/manifests/istio-cni/values.yaml
@@ -44,6 +44,10 @@ cni:
   # Experimental taint controller for further race condition mitigation
   taint:
     enabled: false
+    securityContext:
+      runAsUser: 1337
+      runAsGroup: 1337
+      runAsNonRoot: true
 
   resourceQuotas:
     enabled: true
@@ -70,7 +74,11 @@ cni:
   volumes: []
   volumeMounts: []
   resources: {}
-  securityContext: {}
+  securityContext:
+    runAsGroup: 0
+    runAsUser: 0
+    runAsNonRoot: false
+
   priorityClassName: system-node-critical
 
 # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
diff --git a/internal/components/cni/testdata/icp-expected-resource-dump.yaml b/internal/components/cni/testdata/icp-expected-resource-dump.yaml
@@ -320,6 +320,11 @@ spec:
           requests:
             cpu: 100m
             memory: 128Mi
+        securityContext:
+          runAsGroup: 0
+          runAsUser: 0
+          runAsNonRoot: false
+          allowPrivilegeEscalation: false
       - name: taint-controller
         image: "gcr.io/istio-testing/install-cni-taint:latest"
         imagePullPolicy: Always
@@ -348,6 +353,7 @@ spec:
           runAsGroup: 1337
           runAsNonRoot: true
           runAsUser: 1337
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
         disktype: ssd
diff --git a/internal/components/cni/testdata/icp-expected-values.yaml b/internal/components/cni/testdata/icp-expected-values.yaml
@@ -42,9 +42,7 @@ cni:
     - name: taint-config-vol
       mountPath: /etc/config
     securityContext:
-      runAsGroup: 1337
-      runAsNonRoot: true
-      runAsUser: 1337
+      allowPrivilegeEscalation: false
   metadata:
     annotations:
       daemonset-annotation: value
@@ -113,9 +111,7 @@ cni:
       cpu: 100m
       memory: 128Mi
   securityContext:
-    runAsGroup: 1337
-    runAsNonRoot: true
-    runAsUser: 1337
+    allowPrivilegeEscalation: false
   priorityClassName: system-node-critical
 global:
   hub: gcr.io/istio-testing
diff --git a/internal/components/cni/testdata/icp-test-cr.yaml b/internal/components/cni/testdata/icp-test-cr.yaml
@@ -48,9 +48,7 @@ spec:
               cpu: 100m
               memory: 128Mi
           securityContext:
-            runAsUser: 1337
-            runAsGroup: 1337
-            runAsNonRoot: true
+            allowPrivilegeEscalation: false
           volumeMounts:
           - name: taint-config-vol
             mountPath: /etc/config
@@ -133,7 +131,5 @@ spec:
             cpu: 100m
             memory: 128Mi
         securityContext:
-          runAsUser: 1337
-          runAsGroup: 1337
-          runAsNonRoot: true
+          allowPrivilegeEscalation: false
         priorityClassName: system-node-critical
