(feat) automaticly set NET_BIND_SERVICE based on (target)port in services (#1085)

This commit is contained in:
Kjeld Schouten-Lebbing
2021-10-03 15:17:55 +02:00
committed by GitHub
parent 44a1b5476b
commit 0c3e9d2baa
5 changed files with 63 additions and 2 deletions

View File

@@ -127,7 +127,7 @@ jobs:
if: ${{ matrix.app != 'common' && matrix.app != '.gitkee' }}
uses: nolar/setup-k3d-k3s@v1
with:
version: v1.19
version: v1.22.2+k3s1
## TODO: Fix common-test
- name: Run chart-testing (install)

View File

@@ -15,4 +15,4 @@ maintainers:
name: common
sources: null
type: library
version: 8.0.13
version: 8.1.0

View File

@@ -137,6 +137,7 @@
{{- $_ := set .Values.securityContext "privileged" true -}}
{{- end }}
{{/* save supplementalGroups to placeholder variables */}}
{{- $fixedGroups := list 568 }}
{{- $valuegroups := list }}
@@ -195,4 +196,55 @@
{{- end }}
{{- end }}
{{/* automatically set CAP_NET_BIND_SERVICE */}}
{{- $fixedCapAdd := list }}
{{- $customCapAdd := list }}
{{- $valueCapAdd := list }}
{{- $dynamicCapAdd := list }}
{{- $fixedCapDrop := list }}
{{- $customCapDrop := list }}
{{- $valueCapDrop := list }}
{{- $dynamicCapDrop := list }}
{{- if .Values.securityContext.capabilities.add }}
{{- $valueCapAdd = .Values.securityContext.capabilities.add }}
{{- end }}
{{- if .Values.securityContext.capabilities.drop }}
{{- $valueCapDrop = .Values.securityContext.capabilities.drop }}
{{- end }}
{{- if .Values.customCapabilities.add }}
{{- $customCapAdd = .Values.customCapabilities.add }}
{{- end }}
{{- if .Values.customCapabilities.drop }}
{{- $customCapDrop = .Values.customCapabilities.drop }}
{{- end }}
{{- $privPort := false }}
{{- range .Values.service }}
{{- range $name, $values := .ports }}
{{- if and ( $values.targetPort ) ( kindIs "int" $values.targetPort ) }}
{{- if ( semverCompare "<= 1024" ( toString $values.targetPort ) ) }}
{{- $privPort = true }}
{{- end }}
{{- else }}
{{- if ( semverCompare "<= 1024" ( toString $values.port ) ) }}
{{- $privPort = true }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if $privPort }}
{{- $dynamicCapAdd = list "NET_BIND_SERVICE" }}
{{- end }}
{{/* combine and write all capabilities to .Values */}}
{{- $CapAdd := concat $fixedCapAdd $valueCapAdd $dynamicCapAdd }}
{{- $CapDrop := concat $fixedCapDrop $valueCapDrop $dynamicCapDrop }}
{{- if $CapDrop }}
{{- $_ := set .Values.securityContext.capabilities "drop" $CapDrop -}}
{{- end }}
{{- if $CapAdd }}
{{- $_ := set .Values.securityContext.capabilities "add" $CapAdd -}}
{{- end }}
{{- end -}}

View File

@@ -244,6 +244,11 @@ dnsConfig:
# [[ref]](https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#accessing-the-service)
enableServiceLinks: false
# -- Can be used to set securityContext.capabilities outside of the GUI on TrueNAS SCALE
customCapabilities:
drop: []
add: []
# -- Configure the Security Context for the Pod
podSecurityContext:
runAsUser: 568
@@ -258,6 +263,10 @@ securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop: []
add: []
# -- Configure the lifecycle for the main container
lifecycle: {}