(feat) automaticly set NET_BIND_SERVICE based on (target)port in services (#1085)
This commit is contained in:
committed by
GitHub
parent
44a1b5476b
commit
0c3e9d2baa
2
.github/workflows/apps.test.yaml
vendored
2
.github/workflows/apps.test.yaml
vendored
@@ -127,7 +127,7 @@ jobs:
|
||||
if: ${{ matrix.app != 'common' && matrix.app != '.gitkee' }}
|
||||
uses: nolar/setup-k3d-k3s@v1
|
||||
with:
|
||||
version: v1.19
|
||||
version: v1.22.2+k3s1
|
||||
|
||||
## TODO: Fix common-test
|
||||
- name: Run chart-testing (install)
|
||||
|
||||
0
charts/library/common-test/ci/privport-values.yaml
Normal file
0
charts/library/common-test/ci/privport-values.yaml
Normal file
@@ -15,4 +15,4 @@ maintainers:
|
||||
name: common
|
||||
sources: null
|
||||
type: library
|
||||
version: 8.0.13
|
||||
version: 8.1.0
|
||||
|
||||
@@ -137,6 +137,7 @@
|
||||
{{- $_ := set .Values.securityContext "privileged" true -}}
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{/* save supplementalGroups to placeholder variables */}}
|
||||
{{- $fixedGroups := list 568 }}
|
||||
{{- $valuegroups := list }}
|
||||
@@ -195,4 +196,55 @@
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{/* automatically set CAP_NET_BIND_SERVICE */}}
|
||||
{{- $fixedCapAdd := list }}
|
||||
{{- $customCapAdd := list }}
|
||||
{{- $valueCapAdd := list }}
|
||||
{{- $dynamicCapAdd := list }}
|
||||
{{- $fixedCapDrop := list }}
|
||||
{{- $customCapDrop := list }}
|
||||
{{- $valueCapDrop := list }}
|
||||
{{- $dynamicCapDrop := list }}
|
||||
{{- if .Values.securityContext.capabilities.add }}
|
||||
{{- $valueCapAdd = .Values.securityContext.capabilities.add }}
|
||||
{{- end }}
|
||||
{{- if .Values.securityContext.capabilities.drop }}
|
||||
{{- $valueCapDrop = .Values.securityContext.capabilities.drop }}
|
||||
{{- end }}
|
||||
{{- if .Values.customCapabilities.add }}
|
||||
{{- $customCapAdd = .Values.customCapabilities.add }}
|
||||
{{- end }}
|
||||
{{- if .Values.customCapabilities.drop }}
|
||||
{{- $customCapDrop = .Values.customCapabilities.drop }}
|
||||
{{- end }}
|
||||
|
||||
{{- $privPort := false }}
|
||||
{{- range .Values.service }}
|
||||
{{- range $name, $values := .ports }}
|
||||
{{- if and ( $values.targetPort ) ( kindIs "int" $values.targetPort ) }}
|
||||
{{- if ( semverCompare "<= 1024" ( toString $values.targetPort ) ) }}
|
||||
{{- $privPort = true }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
{{- if ( semverCompare "<= 1024" ( toString $values.port ) ) }}
|
||||
{{- $privPort = true }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if $privPort }}
|
||||
{{- $dynamicCapAdd = list "NET_BIND_SERVICE" }}
|
||||
{{- end }}
|
||||
|
||||
{{/* combine and write all capabilities to .Values */}}
|
||||
{{- $CapAdd := concat $fixedCapAdd $valueCapAdd $dynamicCapAdd }}
|
||||
{{- $CapDrop := concat $fixedCapDrop $valueCapDrop $dynamicCapDrop }}
|
||||
{{- if $CapDrop }}
|
||||
{{- $_ := set .Values.securityContext.capabilities "drop" $CapDrop -}}
|
||||
{{- end }}
|
||||
{{- if $CapAdd }}
|
||||
{{- $_ := set .Values.securityContext.capabilities "add" $CapAdd -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
@@ -244,6 +244,11 @@ dnsConfig:
|
||||
# [[ref]](https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#accessing-the-service)
|
||||
enableServiceLinks: false
|
||||
|
||||
# -- Can be used to set securityContext.capabilities outside of the GUI on TrueNAS SCALE
|
||||
customCapabilities:
|
||||
drop: []
|
||||
add: []
|
||||
|
||||
# -- Configure the Security Context for the Pod
|
||||
podSecurityContext:
|
||||
runAsUser: 568
|
||||
@@ -258,6 +263,10 @@ securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop: []
|
||||
add: []
|
||||
|
||||
|
||||
# -- Configure the lifecycle for the main container
|
||||
lifecycle: {}
|
||||
|
||||
Reference in New Issue
Block a user