hashicorp · Vikramarjuna · Oct 17, 2024 · Oct 17, 2024 · Oct 9, 2024 · Oct 9, 2024
@@ -0,0 +1,3 @@
+```release-note:improvement
+Consul-dataplane now includes both privileged and non-privileged binaries in the image. By default, all use cases use the non-privileged binaries (without NET_BIND_SERVICE). For Ingress, API, and Mesh Gateway use cases, if a privileged port is configured, the privileged binary (with NET_BIND_SERVICE capability) is automatically selected and used.
+```
@@ -18,9 +18,9 @@ annotations:
     - name: consul
       image: docker.mirror.hashicorp.services/hashicorppreview/consul:1.21-dev
     - name: consul-k8s-control-plane
-      image: docker.mirror.hashicorp.services/hashicorppreview/consul-k8s-control-plane:1.7-dev
+      image: docker.mirror.hashicorp.services/hashicorppreview/consul-k8s-control-plane:1.8-dev
     - name: consul-dataplane
-      image: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.7-dev
+      image: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.8-dev
     - name: envoy
       image: envoyproxy/envoy:v1.25.11
   artifacthub.io/license: MPL-2.0

@@ -23,8 +23,33 @@ securityContext:
   capabilities:
     drop:
     - ALL
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+{{- if not .Values.global.openshift.enabled -}}
+{{/*
+We must set runAsUser or else the root user will be used in some cases and
+containers will fail to start due to runAsNonRoot above (e.g.
+tls-init-cleanup). On OpenShift, runAsUser is automatically. We pick user 100
+because it is a non-root user id that exists in the consul, consul-dataplane,
+and consul-k8s-control-plane images.
+*/}}
+  runAsUser: 100
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+
+{{- define "consul.restrictedSecurityContextWithNetBindService" -}}
+{{- if not .Values.global.enablePodSecurityPolicies -}}
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
     add:
     - NET_BIND_SERVICE
+    drop:
+    - ALL
   runAsNonRoot: true
   seccompProfile:
     type: RuntimeDefault
@@ -657,3 +682,23 @@ Usage: {{ template "consul.imagePullPolicy" . }} TODO: melisa should we name thi
 {{fail "imagePullPolicy can only be IfNotPresent, Always, Never, or empty" }}
 {{ end }}
 {{- end -}}
+
+{{/*
+Checks if any of the ingress gateway ports are privileged (< 1024).
+This helper takes the ingress gateway configuration and checks both specific
+service ports and default service ports to determine if privileged ports are needed.
+
+Usage: {{ template "consul.ingressGatewayHasPrivilegedPorts" (dict "service" .service "defaults" $defaults) }}
+*/}}
+{{- define "consul.ingressGatewayHasPrivilegedPorts" -}}
+{{- $service := .service -}}
+{{- $defaults := .defaults -}}
+{{- $ports := (default $defaults.service.ports $service.ports) -}}
+{{- $hasPrivilegedPorts := false -}}
+{{- range $port := $ports -}}
+  {{- if lt (int $port.port) 1024 -}}
+    {{- $hasPrivilegedPorts = true -}}
+  {{- end -}}
+{{- end -}}
+{{- $hasPrivilegedPorts -}}
+{{- end -}}
@@ -23,6 +23,7 @@
 {{- range .Values.ingressGateways.gateways }}
 
 {{- $service := .service }}
+{{- $needsPrivilegedPorts := eq "true" (include "consul.ingressGatewayHasPrivilegedPorts" (dict "service" $service "defaults" $defaults)) }}
 
 {{- if empty .name }}
 # Check that the gateway name is provided
@@ -247,7 +248,11 @@ spec:
       - name: ingress-gateway
         image: {{ $root.Values.global.imageConsulDataplane | quote }}
         {{ template "consul.imagePullPolicy" $root }}
+        {{- if $needsPrivilegedPorts }}
+        {{- include "consul.restrictedSecurityContextWithNetBindService" $ | nindent 8 }}
+        {{- else }}
         {{- include "consul.restrictedSecurityContext" $ | nindent 8 }}
+        {{- end }}
         {{- if (default $defaults.resources .resources) }}
         resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }}
         {{- end }}
@@ -291,9 +296,14 @@ spec:
           value: component=ingress-gateway
         - name: DP_SERVICE_NODE_NAME
           value: $(NODE_NAME)-virtual
+        {{- if $needsPrivilegedPorts }}
         command:
-        - consul-dataplane
+        - privileged-consul-dataplane
         args:
+        - -envoy-executable-path=/usr/local/bin/privileged-envoy
+        {{- else }}
+        args:
+        {{- end }}
         - -envoy-ready-bind-port=21000
         {{- if $root.Values.externalServers.enabled }}
         - -addresses={{ $root.Values.externalServers.hosts | first }}

@@ -202,13 +202,17 @@ spec:
           runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
+          {{- if or (not .Values.meshGateway.hostNetwork) (lt (int .Values.meshGateway.containerPort) 1024) }}
           capabilities:
-            {{ if not .Values.meshGateway.hostNetwork}}
+            {{- if not .Values.meshGateway.hostNetwork }}
             drop:
               - ALL
             {{- end }}
+            {{- if lt (int .Values.meshGateway.containerPort) 1024 }}
             add:
               - NET_BIND_SERVICE
+            {{- end }}
+          {{- end }}
         {{- if .Values.meshGateway.resources }}
         resources:
             {{- if eq (typeOf .Values.meshGateway.resources) "string" }}
@@ -251,9 +255,16 @@ spec:
           value: component=mesh-gateway
         - name: DP_SERVICE_NODE_NAME
           value: $(NODE_NAME)-virtual
+        {{- if lt (int .Values.meshGateway.containerPort) 1024 }}
+        command:
+        - privileged-consul-dataplane
+        args:
+        - -envoy-executable-path=/usr/local/bin/privileged-envoy
+        {{- else }}
         command:
         - consul-dataplane
         args:
+        {{- end }}
         {{- if .Values.externalServers.enabled }}
         - -addresses={{ .Values.externalServers.hosts | first }}
         {{- else }}

@@ -18,8 +18,10 @@ spec:
   # but we can provide it for defense in depth.
   requiredDropCapabilities:
     - ALL
-  defaultAddCapabilities:
+  {{- if lt (int .Values.meshGateway.containerPort) 1024 }}
+  allowedCapabilities:
     - NET_BIND_SERVICE
+  {{- end }}
   # Allow core volume types.
   volumes:
     - 'configMap'

@@ -18,8 +18,6 @@ spec:
   # but we can provide it for defense in depth.
   requiredDropCapabilities:
     - ALL
-  defaultAddCapabilities:
-    - NET_BIND_SERVICE
   # Allow core volume types.
   volumes:
     - 'configMap'

@@ -21,8 +21,6 @@ spec:
   # but we can provide it for defense in depth.
   requiredDropCapabilities:
     - ALL
-  defaultAddCapabilities:
-    - NET_BIND_SERVICE
   # Allow core volume types.
   volumes:
     - 'configMap'

@@ -1382,8 +1382,7 @@ load _helpers
   local expected=$(echo '{
     "allowPrivilegeEscalation": false,
     "capabilities": {
-      "drop": ["ALL"],
-      "add": ["NET_BIND_SERVICE"]
+      "drop": ["ALL"]
     },
     "readOnlyRootFilesystem": true,
     "runAsNonRoot": true,
@@ -1415,8 +1414,7 @@ load _helpers
   local expected=$(echo '{
     "allowPrivilegeEscalation": false,
     "capabilities": {
-      "drop": ["ALL"],
-      "add": ["NET_BIND_SERVICE"]
+      "drop": ["ALL"]
     },
     "readOnlyRootFilesystem": true,
     "runAsNonRoot": true,

@@ -793,7 +793,7 @@ global:
   # The name (and tag) of the consul-dataplane Docker image used for the
   # connect-injected sidecar proxies and mesh, terminating, and ingress gateways.
   # @default: hashicorp/consul-dataplane:<latest supported version>
-  imageConsulDataplane: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.7-dev
+  imageConsulDataplane: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.8-dev
 
   # Configuration for running this Helm chart on the Red Hat OpenShift platform.
   # This Helm chart currently supports OpenShift v4.x+.

@@ -123,22 +123,30 @@ func consulDataplaneContainer(metrics common.MetricsConfig, config common.HelmCo
 		}
 	}
 
-	container.SecurityContext = &corev1.SecurityContext{
-		AllowPrivilegeEscalation: ptr.To(usingPrivilegedPorts),
+	// Set up security context with least privilege by default
+	securityContext := &corev1.SecurityContext{
 		ReadOnlyRootFilesystem:   ptr.To(true),
 		RunAsNonRoot:             ptr.To(true),
+		AllowPrivilegeEscalation: ptr.To(false),
 		SeccompProfile: &corev1.SeccompProfile{
 			Type: corev1.SeccompProfileTypeRuntimeDefault,
 		},
-		// Drop any Linux capabilities you'd get as root other than NET_BIND_SERVICE.
-		// NET_BIND_SERVICE is a requirement for consul-dataplane, even though we don't
-		// bind to privileged ports.
 		Capabilities: &corev1.Capabilities{
-			Add:  []corev1.Capability{netBindCapability},
 			Drop: []corev1.Capability{allCapabilities},
 		},
 	}
 
+	if usingPrivilegedPorts {
+		securityContext.AllowPrivilegeEscalation = ptr.To(true)
+		securityContext.RunAsNonRoot = ptr.To(false)
+		securityContext.Capabilities.Add = []corev1.Capability{netBindCapability}
+		container.Command = []string{"privileged-consul-dataplane"}
+		// Add the envoy executable path argument
+		container.Args = append(container.Args, "-envoy-executable-path=/usr/local/bin/privileged-envoy")
+	}
+
+	container.SecurityContext = securityContext
+
 	return container, nil
 }