set cap for <=1024 port number automagically

2026-06-17 07:27:44 +08:00 · 2023-01-06 14:05:01 +02:00
parent 67ff980ffc
commit bbcc270c5d
9 changed files with 282 additions and 2 deletions
--- a/library/common-test/tests/container_in_deployment/securityContext_test.yaml
+++ b/library/common-test/tests/container_in_deployment/securityContext_test.yaml
@@ -333,3 +333,53 @@ tests:
              add: []
              drop:
                - ALL
+
+  - it: should pass with container port <=1024 defined
+    documentIndex: *deploymentDoc
+    set:
+      service:
+        main:
+          ports:
+            main:
+              port: 5000
+              targetPort: 1024
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 568
+            runAsGroup: 568
+            capabilities:
+              add:
+                - NET_BIND_SERVICE
+              drop:
+                - ALL
+
+  - it: should pass with container port <=1024 defined
+    documentIndex: *deploymentDoc
+    set:
+      service:
+        main:
+          ports:
+            main:
+              port: 5000
+              targetPort: 80
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 568
+            runAsGroup: 568
+            capabilities:
+              add:
+                - NET_BIND_SERVICE
+              drop:
+                - ALL
--- a/library/common-test/tests/initcontainers_in_deployment/additional_containers_in_deployment_test.yaml
+++ b/library/common-test/tests/initcontainers_in_deployment/additional_containers_in_deployment_test.yaml
@@ -587,6 +587,45 @@ tests:
              runAsNonRoot: true
              runAsUser: 568

+  - it: should pass with port <=1024 defined in additional container
+    documentIndex: *deploymentDoc
+    set:
+      additionalContainers:
+        some_container:
+          ports:
+            - name: http
+              containerPort: 80
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0]
+          content:
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                add: []
+                drop:
+                  - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsGroup: 568
+              runAsNonRoot: true
+              runAsUser: 568
+      - isSubset:
+          path: spec.template.spec.containers[1]
+          content:
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                add:
+                  - NET_BIND_SERVICE
+                drop:
+                  - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsGroup: 568
+              runAsNonRoot: true
+              runAsUser: 568
+
  - it: should pass with deviceList defined in additionalContainer
    documentIndex: *deploymentDoc
    set:
--- a/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_install_test.yaml
+++ b/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_install_test.yaml
@@ -632,6 +632,45 @@ tests:
              runAsNonRoot: true
              runAsUser: 568

+  - it: should pass with port <=1024 defined in init container
+    documentIndex: *deploymentDoc
+    set:
+      initContainers:
+        some_container:
+          ports:
+            - name: http
+              containerPort: 80
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0]
+          content:
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                add: []
+                drop:
+                  - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsGroup: 568
+              runAsNonRoot: true
+              runAsUser: 568
+      - isSubset:
+          path: spec.template.spec.initContainers[0]
+          content:
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                add:
+                  - NET_BIND_SERVICE
+                drop:
+                  - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsGroup: 568
+              runAsNonRoot: true
+              runAsUser: 568
+
  - it: should pass with securityContext default
    documentIndex: *deploymentDoc
    set:
--- a/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_upgrade_test.yaml
+++ b/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_upgrade_test.yaml
@@ -635,6 +635,45 @@ tests:
              runAsNonRoot: true
              runAsUser: 568

+  - it: should pass with port <=1024 defined in init container
+    documentIndex: *deploymentDoc
+    set:
+      initContainers:
+        some_container:
+          ports:
+            - name: http
+              containerPort: 80
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0]
+          content:
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                add: []
+                drop:
+                  - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsGroup: 568
+              runAsNonRoot: true
+              runAsUser: 568
+      - isSubset:
+          path: spec.template.spec.initContainers[0]
+          content:
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                add:
+                  - NET_BIND_SERVICE
+                drop:
+                  - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsGroup: 568
+              runAsNonRoot: true
+              runAsUser: 568
+
  - it: should pass with securityContext default
    documentIndex: *deploymentDoc
    set:
--- a/library/common-test/tests/initcontainers_in_deployment/install_containers_in_deployment_test.yaml
+++ b/library/common-test/tests/initcontainers_in_deployment/install_containers_in_deployment_test.yaml
@@ -646,6 +646,45 @@ tests:
              runAsNonRoot: true
              runAsUser: 568

+  - it: should pass with port <=1024 defined in install container
+    documentIndex: *deploymentDoc
+    set:
+      installContainers:
+        some_container:
+          ports:
+            - name: http
+              containerPort: 80
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0]
+          content:
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                add: []
+                drop:
+                  - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsGroup: 568
+              runAsNonRoot: true
+              runAsUser: 568
+      - isSubset:
+          path: spec.template.spec.initContainers[0]
+          content:
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                add:
+                  - NET_BIND_SERVICE
+                drop:
+                  - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsGroup: 568
+              runAsNonRoot: true
+              runAsUser: 568
+
  - it: should pass with securityContext default
    documentIndex: *deploymentDoc
    set:
--- a/library/common-test/tests/initcontainers_in_deployment/upgrade_containers_in_deployment_test.yaml
+++ b/library/common-test/tests/initcontainers_in_deployment/upgrade_containers_in_deployment_test.yaml
@@ -648,6 +648,45 @@ tests:
              runAsNonRoot: true
              runAsUser: 568

+  - it: should pass with port <=1024 defined in upgrade container
+    documentIndex: *deploymentDoc
+    set:
+      upgradeContainers:
+        some_container:
+          ports:
+            - name: http
+              containerPort: 80
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0]
+          content:
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                add: []
+                drop:
+                  - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsGroup: 568
+              runAsNonRoot: true
+              runAsUser: 568
+      - isSubset:
+          path: spec.template.spec.initContainers[0]
+          content:
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                add:
+                  - NET_BIND_SERVICE
+                drop:
+                  - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsGroup: 568
+              runAsNonRoot: true
+              runAsUser: 568
+
  - it: should pass with securityContext default
    documentIndex: *deploymentDoc
    set:
--- a/library/common/1.0.0/templates/lib/container/_security.tpl
+++ b/library/common/1.0.0/templates/lib/container/_security.tpl
@@ -10,6 +10,7 @@ The reason is not splitted, is that on one of the places needs a combo of all va
  {{- $root := .root -}}
  {{- $secCont := .secCont -}}
  {{- $deviceList := .deviceList -}}
+  {{- $ports := .ports -}}
  {{- $isMainContainer := .isMainContainer -}}

  {{/* Initialiaze Values */}}
@@ -29,6 +30,34 @@ The reason is not splitted, is that on one of the places needs a combo of all va
  {{/* Overwrite from values that user/dev passed on this container */}}
  {{- $returnValue = mustMergeOverwrite $returnValue $secCont -}}

+  {{- $isPrivilegedPort := false -}}
+
+  {{- if $isMainContainer -}}
+    {{- range $svcName, $svc := $root.Values.service -}}
+      {{- if $svc.enabled -}}
+        {{- range $portName, $port := $svc.ports -}}
+          {{- if $port.enabled -}} {{/* We failback to port if no targetPort is given */}}
+            {{- $portNumber := ($port.targetPort | default $port.port) -}}
+            {{- if le (int $portNumber) 1024 -}}
+              {{- $isPrivilegedPort = true -}}
+            {{- end -}}
+          {{- end -}}
+        {{- end -}}
+      {{- end -}}
+    {{- end -}}
+  {{- else -}}
+    {{- range $port := $ports -}}
+      {{- if le (int $port.containerPort) 1024 -}}
+        {{- $isPrivilegedPort = true -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{/* If at least on port is the specific container uses a port <=1024, add the NET_BIND_SERVICE capability */}}
+  {{- if $isPrivilegedPort -}}
+    {{- $_ := set $returnValue.capabilities "add" (mustAppend $returnValue.capabilities.add "NET_BIND_SERVICE") -}}
+  {{- end -}}
+
  {{/* Devices need privileged container */}}
  {{- if $deviceList -}}
    {{- $_ := set $returnValue "privileged" true -}}
--- a/library/common/1.0.0/templates/lib/container/_securityContext.tpl
+++ b/library/common/1.0.0/templates/lib/container/_securityContext.tpl
@@ -4,10 +4,15 @@
  {{- $isMainContainer := .isMainContainer -}}
  {{- $deviceList := .deviceList -}}
  {{- $scaleGPU := .scaleGPU -}}
+  {{- $ports := .ports -}}
  {{- $root := .root -}}

  {{/* Calculate all security values */}}
-  {{- $security := (include "ix.v1.common.lib.securityContext" (dict "root" $root "secCont" $secCont "deviceList" $deviceList "isMainContainer" $isMainContainer) | fromJson) -}}
+  {{- $security := (include "ix.v1.common.lib.securityContext"  (dict "root" $root
+                                                                      "secCont" $secCont
+                                                                      "deviceList" $deviceList
+                                                                      "isMainContainer" $isMainContainer
+                                                                      "ports" $ports) | fromJson) -}}

  {{/* Only run as root if it's explicitly defined */}}
  {{- if or (eq (int $security.runAsUser) 0) (eq (int $security.runAsGroup) 0) -}}
@@ -21,7 +26,7 @@ runAsGroup: {{ $security.runAsGroup }}
 readOnlyRootFilesystem: {{ $security.readOnlyRootFilesystem }}
 allowPrivilegeEscalation: {{ $security.allowPrivilegeEscalation }}
 privileged: {{ $security.privileged }}
-capabilities: {{/* TODO: add NET_BIND_SERVICE when port < 80 is used? */}}
+capabilities:
  {{- with $security.capabilities.add }}
  add:
    {{- range . }}
--- a/library/common/1.0.0/templates/lib/pod/_extraContainers.tpl
+++ b/library/common/1.0.0/templates/lib/pod/_extraContainers.tpl
@@ -74,6 +74,7 @@
  {{- end -}}
  {{- with (include "ix.v1.common.container.securityContext"  (dict "secCont" $container.securityContext
                                                                    "isMainContainer" false
+                                                                    "ports" $container.ports
                                                                    "deviceList" $container.deviceList
                                                                    "scaleGPU" $container.scaleGPU
                                                                    "root" $root)) | trim }}