From 0c3e9d2baa8a5f30fcd0d3bd571d2e92bc9a9005 Mon Sep 17 00:00:00 2001 From: Kjeld Schouten-Lebbing Date: Sun, 3 Oct 2021 15:17:55 +0200 Subject: [PATCH] (feat) automaticly set NET_BIND_SERVICE based on (target)port in services (#1085) --- .github/workflows/apps.test.yaml | 2 +- .../common-test/ci/privport-values.yaml | 0 charts/library/common/Chart.yaml | 2 +- .../common/templates/lib/chart/_values.tpl | 52 +++++++++++++++++++ charts/library/common/values.yaml | 9 ++++ 5 files changed, 63 insertions(+), 2 deletions(-) create mode 100644 charts/library/common-test/ci/privport-values.yaml diff --git a/.github/workflows/apps.test.yaml b/.github/workflows/apps.test.yaml index 2ad2f14196a..9fafcca2824 100644 --- a/.github/workflows/apps.test.yaml +++ b/.github/workflows/apps.test.yaml @@ -127,7 +127,7 @@ jobs: if: ${{ matrix.app != 'common' && matrix.app != '.gitkee' }} uses: nolar/setup-k3d-k3s@v1 with: - version: v1.19 + version: v1.22.2+k3s1 ## TODO: Fix common-test - name: Run chart-testing (install) diff --git a/charts/library/common-test/ci/privport-values.yaml b/charts/library/common-test/ci/privport-values.yaml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/charts/library/common/Chart.yaml b/charts/library/common/Chart.yaml index 81e08e5fe65..08ea514c141 100644 --- a/charts/library/common/Chart.yaml +++ b/charts/library/common/Chart.yaml @@ -15,4 +15,4 @@ maintainers: name: common sources: null type: library -version: 8.0.13 +version: 8.1.0 diff --git a/charts/library/common/templates/lib/chart/_values.tpl b/charts/library/common/templates/lib/chart/_values.tpl index 85ec36767aa..208a8064956 100644 --- a/charts/library/common/templates/lib/chart/_values.tpl +++ b/charts/library/common/templates/lib/chart/_values.tpl @@ -137,6 +137,7 @@ {{- $_ := set .Values.securityContext "privileged" true -}} {{- end }} + {{/* save supplementalGroups to placeholder variables */}} {{- $fixedGroups := list 568 }} {{- $valuegroups := list }} @@ -195,4 +196,55 @@ {{- end }} {{- end }} + + {{/* automatically set CAP_NET_BIND_SERVICE */}} + {{- $fixedCapAdd := list }} + {{- $customCapAdd := list }} + {{- $valueCapAdd := list }} + {{- $dynamicCapAdd := list }} + {{- $fixedCapDrop := list }} + {{- $customCapDrop := list }} + {{- $valueCapDrop := list }} + {{- $dynamicCapDrop := list }} + {{- if .Values.securityContext.capabilities.add }} + {{- $valueCapAdd = .Values.securityContext.capabilities.add }} + {{- end }} + {{- if .Values.securityContext.capabilities.drop }} + {{- $valueCapDrop = .Values.securityContext.capabilities.drop }} + {{- end }} + {{- if .Values.customCapabilities.add }} + {{- $customCapAdd = .Values.customCapabilities.add }} + {{- end }} + {{- if .Values.customCapabilities.drop }} + {{- $customCapDrop = .Values.customCapabilities.drop }} + {{- end }} + + {{- $privPort := false }} + {{- range .Values.service }} + {{- range $name, $values := .ports }} + {{- if and ( $values.targetPort ) ( kindIs "int" $values.targetPort ) }} + {{- if ( semverCompare "<= 1024" ( toString $values.targetPort ) ) }} + {{- $privPort = true }} + {{- end }} + {{- else }} + {{- if ( semverCompare "<= 1024" ( toString $values.port ) ) }} + {{- $privPort = true }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + + {{- if $privPort }} + {{- $dynamicCapAdd = list "NET_BIND_SERVICE" }} + {{- end }} + + {{/* combine and write all capabilities to .Values */}} + {{- $CapAdd := concat $fixedCapAdd $valueCapAdd $dynamicCapAdd }} + {{- $CapDrop := concat $fixedCapDrop $valueCapDrop $dynamicCapDrop }} + {{- if $CapDrop }} + {{- $_ := set .Values.securityContext.capabilities "drop" $CapDrop -}} + {{- end }} + {{- if $CapAdd }} + {{- $_ := set .Values.securityContext.capabilities "add" $CapAdd -}} + {{- end }} {{- end -}} diff --git a/charts/library/common/values.yaml b/charts/library/common/values.yaml index 1ced4497732..f647aae0ee7 100644 --- a/charts/library/common/values.yaml +++ b/charts/library/common/values.yaml @@ -244,6 +244,11 @@ dnsConfig: # [[ref]](https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#accessing-the-service) enableServiceLinks: false +# -- Can be used to set securityContext.capabilities outside of the GUI on TrueNAS SCALE +customCapabilities: + drop: [] + add: [] + # -- Configure the Security Context for the Pod podSecurityContext: runAsUser: 568 @@ -258,6 +263,10 @@ securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true + capabilities: + drop: [] + add: [] + # -- Configure the lifecycle for the main container lifecycle: {}