diff --git a/CHANGELOG.md b/CHANGELOG.md index e79fa1cd1b..aa1bc48e78 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,8 @@ IMPROVEMENTS: transparent proxy is enabled. [[GH-517](https://github.com/hashicorp/consul-k8s/pull/517)] * Connect: Don't set security context for the Envoy proxy when on OpenShift and transparent proxy is disabled. [[GH-521](https://github.com/hashicorp/consul-k8s/pull/521)] +* Connect: `consul-connect-inject-init` run with `privileged: true` when transparent proxy is enabled. + [[GH-524](https://github.com/hashicorp/consul-k8s/pull/524)] BUG FIXES: * Connect: Process every Address in an Endpoints object before returning an error. This ensures an address that isn't reconciled successfully doesn't prevent the remaining addresses from getting reconciled. [[GH-519](https://github.com/hashicorp/consul-k8s/pull/519)] diff --git a/connect-inject/container_init.go b/connect-inject/container_init.go index 0e48fec909..4a0c4be63f 100644 --- a/connect-inject/container_init.go +++ b/connect-inject/container_init.go @@ -208,6 +208,7 @@ func (h *Handler) containerInit(namespace corev1.Namespace, pod corev1.Pod) (cor RunAsGroup: pointerToInt64(rootUserAndGroupID), // RunAsNonRoot overrides any setting in the Pod so that we can still run as root here as required. RunAsNonRoot: pointerToBool(false), + Privileged: pointerToBool(true), Capabilities: &corev1.Capabilities{ Add: []corev1.Capability{netAdminCapability}, }, diff --git a/connect-inject/container_init_test.go b/connect-inject/container_init_test.go index e5c7c31f74..8e1e4a5e8f 100644 --- a/connect-inject/container_init_test.go +++ b/connect-inject/container_init_test.go @@ -287,6 +287,7 @@ func TestHandlerContainerInit_transparentProxy(t *testing.T) { expectedSecurityContext := &corev1.SecurityContext{ RunAsUser: pointerToInt64(0), RunAsGroup: pointerToInt64(0), + Privileged: pointerToBool(true), Capabilities: &corev1.Capabilities{ Add: []corev1.Capability{netAdminCapability}, },