diff --git a/internal/infrastructure/kubernetes/proxy/resource.go b/internal/infrastructure/kubernetes/proxy/resource.go index 55b3cb10623..f99d0ce2b30 100644 --- a/internal/infrastructure/kubernetes/proxy/resource.go +++ b/internal/infrastructure/kubernetes/proxy/resource.go @@ -227,7 +227,7 @@ func expectedProxyContainers(infra *ir.ProxyInfra, }, }, }, - SecurityContext: expectedShutdownManagerSecurityContext(), + SecurityContext: expectedShutdownManagerSecurityContext(containerSpec), }, } @@ -384,7 +384,11 @@ func expectedEnvoySecurityContext(containerSpec *egv1a1.KubernetesContainerSpec) return sc } -func expectedShutdownManagerSecurityContext() *corev1.SecurityContext { +func expectedShutdownManagerSecurityContext(containerSpec *egv1a1.KubernetesContainerSpec) *corev1.SecurityContext { + if containerSpec != nil && containerSpec.SecurityContext != nil { + return containerSpec.SecurityContext + } + sc := resource.DefaultSecurityContext() // run as non-root user diff --git a/internal/infrastructure/kubernetes/proxy/resource_test.go b/internal/infrastructure/kubernetes/proxy/resource_test.go index 31054b1ef1d..093d8c0b132 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_test.go +++ b/internal/infrastructure/kubernetes/proxy/resource_test.go @@ -9,6 +9,11 @@ import ( "testing" "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + "k8s.io/utils/ptr" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/resource" ) func TestEnvoyPodSelector(t *testing.T) { @@ -36,3 +41,49 @@ func TestEnvoyPodSelector(t *testing.T) { }) } } + +func TestExpectedShutdownManagerSecurityContext(t *testing.T) { + defaultSecurityContext := func() *corev1.SecurityContext { + sc := resource.DefaultSecurityContext() + + // run as non-root user + sc.RunAsGroup = ptr.To(int64(65532)) + sc.RunAsUser = ptr.To(int64(65532)) + + // ShutdownManger creates a file to indicate the connection drain process is completed, + // so it needs file write permission. + sc.ReadOnlyRootFilesystem = nil + return sc + } + + customSc := &corev1.SecurityContext{ + Privileged: ptr.To(true), + RunAsUser: ptr.To(int64(21)), + RunAsGroup: ptr.To(int64(2100)), + } + + tests := []struct { + name string + in *egv1a1.KubernetesContainerSpec + expected *corev1.SecurityContext + }{ + { + name: "default", + in: nil, + expected: defaultSecurityContext(), + }, + { + name: "default", + in: &egv1a1.KubernetesContainerSpec{ + SecurityContext: customSc, + }, + expected: customSc, + }, + } + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + got := expectedShutdownManagerSecurityContext(tc.in) + require.Equal(t, tc.expected, got) + }) + } +} diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index 87727e4be1c..1214f149ee2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -336,16 +336,7 @@ spec: cpu: 10m memory: 32Mi securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault + privileged: true startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index 7827b9eccc7..2af1e053bcb 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -335,16 +335,7 @@ spec: cpu: 10m memory: 32Mi securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault + privileged: true startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index b75e8ec22ad..50f2fbb6149 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -339,16 +339,7 @@ spec: cpu: 10m memory: 32Mi securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault + privileged: true startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index 53ec48429c1..fdd2a5ad81b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -339,16 +339,7 @@ spec: cpu: 10m memory: 32Mi securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault + privileged: true startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index a312bb39a61..6d0ef21c6f6 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -341,16 +341,7 @@ spec: cpu: 10m memory: 32Mi securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault + privileged: true startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index e4518aa9be7..4913ef2f881 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -343,16 +343,7 @@ spec: cpu: 10m memory: 32Mi securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault + privileged: true startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index 5d34ac37081..e3d1a9eac5e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -340,16 +340,7 @@ spec: cpu: 10m memory: 32Mi securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault + privileged: true startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index 232fa80b00f..25c91f46023 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -344,16 +344,7 @@ spec: cpu: 10m memory: 32Mi securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault + privileged: true startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index 282e038d84b..4a6e420c035 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -344,16 +344,7 @@ spec: cpu: 10m memory: 32Mi securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault + privileged: true startupProbe: failureThreshold: 30 httpGet: