From ba401ccc96e6f82b0b3d55fa610b6ae7a2c99628 Mon Sep 17 00:00:00 2001
From: Iryna Shustava <iryna@hashicorp.com>
Date: Tue, 25 May 2021 13:31:49 -0600
Subject: [PATCH 1/2] consul-connect-inject-init needs to run privileged: true
 when tproxy is enabled

On OpenShift, if we don't set this value, the container will not provisioned with proper
privileges to run iptabels commands
---
 connect-inject/container_init.go      | 1 +
 connect-inject/container_init_test.go | 1 +
 2 files changed, 2 insertions(+)

diff --git a/connect-inject/container_init.go b/connect-inject/container_init.go
index 0e48fec909..4a0c4be63f 100644
--- a/connect-inject/container_init.go
+++ b/connect-inject/container_init.go
@@ -208,6 +208,7 @@ func (h *Handler) containerInit(namespace corev1.Namespace, pod corev1.Pod) (cor
 			RunAsGroup: pointerToInt64(rootUserAndGroupID),
 			// RunAsNonRoot overrides any setting in the Pod so that we can still run as root here as required.
 			RunAsNonRoot: pointerToBool(false),
+			Privileged:   pointerToBool(true),
 			Capabilities: &corev1.Capabilities{
 				Add: []corev1.Capability{netAdminCapability},
 			},
diff --git a/connect-inject/container_init_test.go b/connect-inject/container_init_test.go
index e5c7c31f74..8e1e4a5e8f 100644
--- a/connect-inject/container_init_test.go
+++ b/connect-inject/container_init_test.go
@@ -287,6 +287,7 @@ func TestHandlerContainerInit_transparentProxy(t *testing.T) {
 			expectedSecurityContext := &corev1.SecurityContext{
 				RunAsUser:  pointerToInt64(0),
 				RunAsGroup: pointerToInt64(0),
+				Privileged: pointerToBool(true),
 				Capabilities: &corev1.Capabilities{
 					Add: []corev1.Capability{netAdminCapability},
 				},

From 0f7a7724b3834816ed239d8c441ee625f89cfd2c Mon Sep 17 00:00:00 2001
From: Iryna Shustava <iryna@hashicorp.com>
Date: Tue, 25 May 2021 13:34:16 -0600
Subject: [PATCH 2/2] Update changelog

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e79fa1cd1b..aa1bc48e78 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,8 @@ IMPROVEMENTS:
   transparent proxy is enabled. [[GH-517](https://github.com/hashicorp/consul-k8s/pull/517)]
 * Connect: Don't set security context for the Envoy proxy when on OpenShift and transparent proxy is disabled.
   [[GH-521](https://github.com/hashicorp/consul-k8s/pull/521)]
+* Connect: `consul-connect-inject-init` run with `privileged: true` when transparent proxy is enabled.
+  [[GH-524](https://github.com/hashicorp/consul-k8s/pull/524)]
 
 BUG FIXES:
 * Connect: Process every Address in an Endpoints object before returning an error. This ensures an address that isn't reconciled successfully doesn't prevent the remaining addresses from getting reconciled. [[GH-519](https://github.com/hashicorp/consul-k8s/pull/519)]