From 95f3a28acd3c392ce7b7eaf340f3665184ab9295 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Thu, 24 Aug 2023 16:32:49 -0400 Subject: [PATCH] NET-5186 Add NET_BIND_SERVICE capability to Consul's restricted securityContext (#2787) * Add NET_BIND_SERVICE capability to Consul's restricted securityContext * Add changelog entry * Update related bats tests * Change type of release note --- .changelog/2787.txt | 3 +++ charts/consul/templates/_helpers.tpl | 2 ++ charts/consul/test/unit/server-statefulset.bats | 6 ++++-- 3 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 .changelog/2787.txt diff --git a/.changelog/2787.txt b/.changelog/2787.txt new file mode 100644 index 0000000000..2fe921ef23 --- /dev/null +++ b/.changelog/2787.txt @@ -0,0 +1,3 @@ +```release-note:improvement +Add NET_BIND_SERVICE capability to restricted security context used for consul-dataplane +``` diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index f3ab8cb636..044833c11d 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -23,6 +23,8 @@ securityContext: capabilities: drop: - ALL + add: + - NET_BIND_SERVICE runAsNonRoot: true seccompProfile: type: RuntimeDefault diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats index afbe361ba4..3248f14da3 100755 --- a/charts/consul/test/unit/server-statefulset.bats +++ b/charts/consul/test/unit/server-statefulset.bats @@ -856,7 +856,8 @@ load _helpers local expected=$(echo '{ "allowPrivilegeEscalation": false, "capabilities": { - "drop": ["ALL"] + "drop": ["ALL"], + "add": ["NET_BIND_SERVICE"] }, "readOnlyRootFilesystem": true, "runAsNonRoot": true, @@ -888,7 +889,8 @@ load _helpers local expected=$(echo '{ "allowPrivilegeEscalation": false, "capabilities": { - "drop": ["ALL"] + "drop": ["ALL"], + "add": ["NET_BIND_SERVICE"] }, "readOnlyRootFilesystem": true, "runAsNonRoot": true,