diff --git a/library/common-test/tests/container/ports_test.yaml b/library/common-test/tests/container/ports_test.yaml index 6523d5b2..5fdee78a 100644 --- a/library/common-test/tests/container/ports_test.yaml +++ b/library/common-test/tests/container/ports_test.yaml @@ -136,6 +136,13 @@ tests: - name: port-name containerPort: 1234 protocol: TCP + - documentIndex: *deploymentDoc + isNotSubset: + path: spec.template.spec.containers[0].securityContext.capabilities + content: + add: + - NET_BIND_SERVICE + - documentIndex: &otherDeploymentDoc 1 isKind: of: Deployment @@ -147,6 +154,12 @@ tests: - name: port-name containerPort: 53 protocol: TCP + - documentIndex: *otherDeploymentDoc + isSubset: + path: spec.template.spec.containers[0].securityContext.capabilities + content: + add: + - NET_BIND_SERVICE - it: should create the correct ports with hostPort set: diff --git a/library/common-test/tests/secret/validation_test.yaml b/library/common-test/tests/secret/validation_test.yaml index e91fc68e..6c5ccf4f 100644 --- a/library/common-test/tests/secret/validation_test.yaml +++ b/library/common-test/tests/secret/validation_test.yaml @@ -66,7 +66,7 @@ tests: data: {} asserts: - failedTemplate: - errorMessage: Secret - Expected non-empty + errorMessage: Secret - Expected non-empty or - it: should fail with empty type key set: diff --git a/library/common/Chart.yaml b/library/common/Chart.yaml index 614f0249..d02169b7 100644 --- a/library/common/Chart.yaml +++ b/library/common/Chart.yaml @@ -15,4 +15,4 @@ maintainers: name: common sources: null type: library -version: 12.2.11 +version: 12.2.12 diff --git a/library/common/templates/lib/container/_securityContext.tpl b/library/common/templates/lib/container/_securityContext.tpl index 2a9cff42..ce8e14ef 100644 --- a/library/common/templates/lib/container/_securityContext.tpl +++ b/library/common/templates/lib/container/_securityContext.tpl @@ -122,6 +122,16 @@ objectData: The object data to be used to render the container. {{- fail "Container - Expected to be defined" -}} {{- end -}} + {{- $tempObjectData := (dict "shortName" $objectData.podShortName "primary" $objectData.podPrimary) -}} + {{- $portRange := fromJson (include "tc.v1.common.lib.helpers.securityContext.getPortRange" (dict "rootCtx" $rootCtx "objectData" $tempObjectData)) -}} + {{- if and $portRange.low (le (int $portRange.low) 1024) -}} {{/* If a container wants to bind a port <= 1024 add NET_BIND_SERVICE */}} + {{- $addCap := $secContext.capabilities.add -}} + {{- if not (mustHas "NET_BIND_SERIVCE" $addCap) -}} + {{- $addCap = mustAppend $addCap "NET_BIND_SERVICE" -}} + {{- end -}} + {{- $_ := set $secContext.capabilities "add" $addCap -}} + {{- end -}} + {{- range $key := (list "add" "drop") -}} {{- $item := (get $secContext.capabilities $key) -}} {{- if not (kindIs "slice" $item) -}}