Skip to content

Commit

Permalink
NET-5186 Add NET_BIND_SERVICE capability to Consul's restricted secur…
Browse files Browse the repository at this point in the history 
…ityContext (#2787)

* Add NET_BIND_SERVICE capability to Consul's restricted securityContext

* Add changelog entry

* Update related bats tests

* Change type of release note
  • Loading branch information
@nathancoleman
nathancoleman authored Aug 24, 2023
1 parent a73c716 commit 95f3a28
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 2 deletions.
3 changes: 3 additions & 0 deletions .changelog/2787.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
Add NET_BIND_SERVICE capability to restricted security context used for consul-dataplane
```
2 changes: 2 additions & 0 deletions charts/consul/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
Expand Down
6 changes: 4 additions & 2 deletions charts/consul/test/unit/server-statefulset.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -856,7 +856,8 @@ load _helpers
local expected=$(echo '{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": ["ALL"]
"drop": ["ALL"],
"add": ["NET_BIND_SERVICE"]
},
"readOnlyRootFilesystem": true,
"runAsNonRoot": true,
Expand Down Expand Up @@ -888,7 +889,8 @@ load _helpers
local expected=$(echo '{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": ["ALL"]
"drop": ["ALL"],
"add": ["NET_BIND_SERVICE"]
},
"readOnlyRootFilesystem": true,
"runAsNonRoot": true,
Expand Down

0 comments on commit 95f3a28

Please sign in to comment.