OSSM-5556: Set net.ipv4.ip_unprivileged_port_start=0 in ingress and…

… egress gateways (maistra#951) * OSSM-5556: Use net.ipv4.ip_unprivileged_port_start=0 in gateways chart Signed-off-by: Jacek Ewertowski <[email protected]> * Apply change to injected-deployment Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]>
jewertow · Mar 13, 2024 · eb8ce0e · eb8ce0e
1 parent 430a0d8
commit eb8ce0e
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 20 deletions.
diff --git a/manifests/charts/gateways/istio-egress/templates/deployment.yaml b/manifests/charts/gateways/istio-egress/templates/deployment.yaml
@@ -61,6 +61,9 @@ spec:
         runAsGroup: 1337
         runAsNonRoot: true
         fsGroup: 1337
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
 {{- end }}
       serviceAccountName: {{ $gateway.name }}-service-account
 {{- if .Values.global.priorityClassName }}
@@ -210,10 +213,6 @@ spec:
           - name: TRUST_DOMAIN
             value: "{{ .Values.meshConfig.trustDomain }}"
           {{- end }}
-          {{- if not $gateway.runAsRoot }}
-          - name: ISTIO_META_UNPRIVILEGED_POD
-            value: "true"
-          {{- end }}
           {{- range $key, $val := $gateway.env }}
           - name: {{ $key }}
             value: "{{ $val }}"

diff --git a/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml b/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml
@@ -61,6 +61,9 @@ spec:
         runAsGroup: 1337
         runAsNonRoot: true
         fsGroup: 1337
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
 {{- end }}
       serviceAccountName: {{ $gateway.name | default "istio-egressgateway" }}-service-account
 {{- if .Values.global.priorityClassName }}
@@ -96,10 +99,6 @@ spec:
 {{ toYaml .Values.global.defaultResources | indent 12 }}
 {{- end }}
           env:
-          {{- if not $gateway.runAsRoot }}
-          - name: ISTIO_META_UNPRIVILEGED_POD
-            value: "true"
-          {{- end }}
           {{- range $key, $val := $gateway.env }}
           - name: {{ $key }}
             value: {{ $val | quote }}

diff --git a/manifests/charts/gateways/istio-egress/values.yaml b/manifests/charts/gateways/istio-egress/values.yaml
@@ -5,12 +5,12 @@ gateways:
     name: istio-egressgateway
     ports:
     - port: 80
-      targetPort: 8080
+      targetPort: 80
       name: http2
       protocol: TCP
     - port: 443
       name: https
-      targetPort: 8443
+      targetPort: 443
       protocol: TCP
 
     labels:

diff --git a/manifests/charts/gateways/istio-ingress/templates/deployment.yaml b/manifests/charts/gateways/istio-ingress/templates/deployment.yaml
@@ -61,6 +61,9 @@ spec:
         runAsGroup: 1337
         runAsNonRoot: true
         fsGroup: 1337
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
 {{- end }}
       serviceAccountName: {{ $gateway.name }}-service-account
 {{- if .Values.global.priorityClassName }}
@@ -210,10 +213,6 @@ spec:
           - name: TRUST_DOMAIN
             value: "{{ .Values.meshConfig.trustDomain }}"
           {{- end }}
-          {{- if not $gateway.runAsRoot }}
-          - name: ISTIO_META_UNPRIVILEGED_POD
-            value: "true"
-          {{- end }}
           {{- range $key, $val := $gateway.env }}
           - name: {{ $key }}
             value: "{{ $val }}"

diff --git a/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml b/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml
@@ -61,6 +61,9 @@ spec:
         runAsGroup: 1337
         runAsNonRoot: true
         fsGroup: 1337
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
 {{- end }}
       serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
 {{- if .Values.global.priorityClassName }}
@@ -96,10 +99,6 @@ spec:
 {{ toYaml .Values.global.defaultResources | indent 12 }}
 {{- end }}
           env:
-          {{- if not $gateway.runAsRoot }}
-          - name: ISTIO_META_UNPRIVILEGED_POD
-            value: "true"
-          {{- end }}
           {{- range $key, $val := $gateway.env }}
           - name: {{ $key }}
             value: {{ $val | quote }}

diff --git a/manifests/charts/gateways/istio-ingress/values.yaml b/manifests/charts/gateways/istio-ingress/values.yaml
@@ -17,11 +17,11 @@ gateways:
       name: status-port
       protocol: TCP
     - port: 80
-      targetPort: 8080
+      targetPort: 80
       name: http2
       protocol: TCP
     - port: 443
-      targetPort: 8443
+      targetPort: 443
       name: https
       protocol: TCP