From 20a46220d95396661be875049700ab67e5dd913a Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 29 Oct 2024 20:58:03 -0400 Subject: [PATCH] feat(chart): Make security context configurable (#4536) * Make security context configurable Signed-off-by: Tamal Saha * make gen-check Signed-off-by: Tamal Saha * Update current.yaml Signed-off-by: Tamal Saha --------- Signed-off-by: Tamal Saha --- charts/gateway-helm/README.md | 9 +- charts/gateway-helm/templates/certgen.yaml | 12 +- .../templates/envoy-gateway-deployment.yaml | 17 +- charts/gateway-helm/values.tmpl.yaml | 23 + release-notes/current.yaml | 2 +- .../en/latest/install/gateway-helm-api.md | 9 +- .../zh/latest/install/gateway-helm-api.md | 9 +- .../certjen-custom-scheduling.out.yaml | 4 +- .../control-plane-with-pdb.out.yaml | 4 +- .../helm/gateway-helm/default-config.out.yaml | 4 +- .../deployment-custom-topology.out.yaml | 4 +- .../deployment-images-config.out.yaml | 4 +- .../deployment-priorityclass.out.yaml | 4 +- .../deployment-securitycontext.in.yaml | 32 + .../deployment-securitycontext.out.yaml | 574 ++++++++++++++++++ .../envoy-gateway-config.out.yaml | 4 +- .../global-images-config.out.yaml | 4 +- .../gateway-helm/service-annotations.out.yaml | 4 +- 18 files changed, 677 insertions(+), 46 deletions(-) create mode 100644 test/helm/gateway-helm/deployment-securitycontext.in.yaml create mode 100644 test/helm/gateway-helm/deployment-securitycontext.out.yaml diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md index 61942016a29..5d9cecf616b 100644 --- a/charts/gateway-helm/README.md +++ b/charts/gateway-helm/README.md @@ -59,7 +59,7 @@ To uninstall the chart: | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | @@ -71,6 +71,13 @@ To uninstall the chart: | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | +| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | | +| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| deployment.envoyGateway.securityContext.privileged | bool | `false` | | +| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | | +| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | | +| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | | +| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | deployment.pod.affinity | object | `{}` | | | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | diff --git a/charts/gateway-helm/templates/certgen.yaml b/charts/gateway-helm/templates/certgen.yaml index 00b7b6f8dca..f98c414ba22 100644 --- a/charts/gateway-helm/templates/certgen.yaml +++ b/charts/gateway-helm/templates/certgen.yaml @@ -39,17 +39,7 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsGroup: 65534 - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault + {{- toYaml .Values.certgen.job.securityContext | nindent 10 }} {{- include "eg.image.pullSecrets" . | nindent 6 }} {{- with .Values.certgen.job.affinity }} affinity: diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml index 0be895fe76f..7746dd2e4ac 100644 --- a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml @@ -30,7 +30,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.deployment.pod.nodeSelector }} - nodeSelector: + nodeSelector: {{ toYaml . | nindent 8 }} {{- end }} {{- with .Values.deployment.pod.topologySpreadConstraints }} @@ -73,19 +73,10 @@ spec: port: 8081 initialDelaySeconds: 5 periodSeconds: 10 - resources: {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10 - }} + resources: + {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10 }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - runAsGroup: 65532 - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault + {{- toYaml .Values.deployment.envoyGateway.securityContext | nindent 10 }} volumeMounts: - mountPath: /config name: envoy-gateway-config diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index 90e72f09956..cfcd9532491 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -35,6 +35,17 @@ deployment: requests: cpu: 100m memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault ports: - name: grpc port: 18000 @@ -86,6 +97,18 @@ certgen: tolerations: [] nodeSelector: {} ttlSecondsAfterFinished: 30 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault rbac: annotations: {} labels: {} diff --git a/release-notes/current.yaml b/release-notes/current.yaml index cf4ea00691b..1268ce35b0f 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -10,7 +10,7 @@ security updates: | # New features or capabilities added in this release. new features: | - Add a new feature here + Add support for modifying container securityContext for Envoy Gateway deployment in Helm # Fixes for bugs identified in previous versions. bug fixes: | diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md index 99023e65c6c..bb817b992dc 100644 --- a/site/content/en/latest/install/gateway-helm-api.md +++ b/site/content/en/latest/install/gateway-helm-api.md @@ -23,7 +23,7 @@ The Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | @@ -35,6 +35,13 @@ The Helm chart for Envoy Gateway | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | +| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | | +| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| deployment.envoyGateway.securityContext.privileged | bool | `false` | | +| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | | +| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | | +| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | | +| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | deployment.pod.affinity | object | `{}` | | | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | diff --git a/site/content/zh/latest/install/gateway-helm-api.md b/site/content/zh/latest/install/gateway-helm-api.md index 99023e65c6c..bb817b992dc 100644 --- a/site/content/zh/latest/install/gateway-helm-api.md +++ b/site/content/zh/latest/install/gateway-helm-api.md @@ -23,7 +23,7 @@ The Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | @@ -35,6 +35,13 @@ The Helm chart for Envoy Gateway | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | +| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | | +| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| deployment.envoyGateway.securityContext.privileged | bool | `false` | | +| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | | +| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | | +| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | | +| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | deployment.pod.affinity | object | `{}` | | | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index f0c1e0d1309..37d0212f719 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -432,8 +432,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -563,8 +563,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index ab0c09e3ed3..69f08e1dbb7 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -447,8 +447,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -578,8 +578,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 655c1b7fbeb..6e1b1846bae 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -432,8 +432,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -563,8 +563,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index 879ca6a2351..0bc5809337c 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -460,8 +460,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -591,8 +591,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index 28eba2f209e..f99a89039d8 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -432,8 +432,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -565,8 +565,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index 28375ac5bf0..3757e360d95 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -432,8 +432,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -564,8 +564,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-securitycontext.in.yaml b/test/helm/gateway-helm/deployment-securitycontext.in.yaml new file mode 100644 index 00000000000..47b8d1cec23 --- /dev/null +++ b/test/helm/gateway-helm/deployment-securitycontext.in.yaml @@ -0,0 +1,32 @@ +global: + images: + envoyGateway: + image: "docker.io/envoyproxy/gateway-dev:latest" + pullPolicy: Always +deployment: + envoyGateway: + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault +certgen: + job: + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-securitycontext.out.yaml b/test/helm/gateway-helm/deployment-securitycontext.out.yaml new file mode 100644 index 00000000000..e98bd1e9730 --- /dev/null +++ b/test/helm/gateway-helm/deployment-securitycontext.out.yaml @@ -0,0 +1,574 @@ +--- +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +--- +# Source: gateway-helm/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:master + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway-dev:latest + type: Kubernetes +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: gateway-helm-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-helm-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-helm-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - delete + - deletecollection + - patch +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-leader-election-role + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-leader-election-rolebinding + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 +--- +# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-certgen' +subjects: +- kind: ServiceAccount + name: 'gateway-helm-certgen' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: gateway-helm-certgen + ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index e401a1062ee..fb1e51f2209 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -434,8 +434,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -565,8 +565,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index 14129b666b6..ebcda594b19 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -436,8 +436,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -569,8 +569,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/service-annotations.out.yaml b/test/helm/gateway-helm/service-annotations.out.yaml index 64676e18497..9d37bdffcde 100644 --- a/test/helm/gateway-helm/service-annotations.out.yaml +++ b/test/helm/gateway-helm/service-annotations.out.yaml @@ -434,8 +434,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -565,8 +565,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault