whops, thats a different range

2026-06-16 23:19:15 +08:00 · 2023-02-11 13:30:11 +02:00
parent e341fc391b
commit 4809a8e7ed
2 changed files with 4 additions and 12 deletions
--- a/library/common-test/tests/pod/securityContext.yaml
+++ b/library/common-test/tests/pod/securityContext.yaml
@@ -206,8 +206,6 @@ tests:
                value: "some_different_value"
              - name: net.ipv4.ip_unprivileged_port_start
                value: "53"
-              - name: net.ipv4.ping_group_range
-                value: "53 80"
      - documentIndex: &otherStatefulSetDoc 1
        isKind:
          of: StatefulSet
@@ -221,8 +219,6 @@ tests:
            sysctls:
              - name: net.ipv4.ip_unprivileged_port_start
                value: "443"
-              - name: net.ipv4.ping_group_range
-                value: "443 443"

  - it: should pass with no sysctls port_start automatically appended based on services when port is higher than 1024
    set:
@@ -253,9 +249,8 @@ tests:
          value:
            fsGroup: 568
            fsGroupChangePolicy: OnRootMismatch
-            sysctls:
-              - name: net.ipv4.ping_group_range
-                value: "3000 3000"
+            supplementalGroups: []
+            sysctls: []

  # Failures
  - it: should fail with empty securityContext from "global"
--- a/library/common/1.0.0/templates/lib/pod/_podSecurityContext.tpl
+++ b/library/common/1.0.0/templates/lib/pod/_podSecurityContext.tpl
@@ -26,11 +26,8 @@ objectData: The object data to be used to render the Pod.
    TODO: Unit Test the above cases
    */}}
  {{- $portRange := fromJson (include "ix.v1.common.lib.pod.securityContext.getPortRange" (dict "rootCtx" $rootCtx "objectData" $objectData)) -}}
-  {{- if and $portRange.low $portRange.high -}}
-    {{- if le (int $portRange.low) 1024 -}}
-      {{- $_ := set $secContext "sysctls" (mustAppend $secContext.sysctls (dict "name" "net.ipv4.ip_unprivileged_port_start" "value" (printf "%v" $portRange.low))) -}}
-    {{- end -}}
-    {{- $_ := set $secContext "sysctls" (mustAppend $secContext.sysctls (dict "name" "net.ipv4.ping_group_range" "value" (printf "%v %v" $portRange.low $portRange.high))) -}}
+  {{- if and $portRange.low (le (int $portRange.low) 1024) -}}
+    {{- $_ := set $secContext "sysctls" (mustAppend $secContext.sysctls (dict "name" "net.ipv4.ip_unprivileged_port_start" "value" (printf "%v" $portRange.low))) -}}
  {{- end -}}

  {{- if not $secContext.fsGroup -}}