Merge pull request #3803 from smehboub/fix/podSecurityContext-for-init-intercept

thallgren · web-flow · commit 1b67352715ec · 2025-02-23T17:54:43.000+01:00
fix: set security context for init intercept
diff --git a/charts/telepresence-oss/README.md b/charts/telepresence-oss/README.md
@@ -32,6 +32,7 @@ The following tables lists the configurable parameters of the Telepresence chart
 | agent.logLevel                                       | The logging level for the traffic-agent                                                                                                                             | defaults to logLevel                                                        |
 | agent.resources                                      | The resources for the injected agent container                                                                                                                      |                                                                             |
 | agent.securityContext                                | The security context to use for the injected agent container                                                                                                        | defaults to the securityContext of the first container of the app           |
+| agent.initSecurityContext                            | The security context to use for the injected init container                                                                                                         | `{}`                                                                        |
 | agentInjector.certificate.accessMethod               | Method used by the agent injector to access the certificate (watch or mount).                                                                                       | `watch`                                                                     |
 | agentInjector.certificate.certmanager.commonName     | The common name of the generated Certmanager certificate.                                                                                                           | `agent-injector`                                                            |
 | agentInjector.certificate.certmanager.duration       | The certificate validity duration. (optional value)                                                                                                                 | `2160h0m0s`                                                                 |
diff --git a/charts/telepresence-oss/templates/deployment.yaml b/charts/telepresence-oss/templates/deployment.yaml
@@ -192,6 +192,10 @@ spec:
           - name: AGENT_SECURITY_CONTEXT
             value: '{{ toJson .agent.securityContext }}'
           {{- end }}
+          {{- if .agent.initSecurityContext }}
+          - name: AGENT_INIT_SECURITY_CONTEXT
+            value: '{{ toJson .agent.initSecurityContext }}'
+          {{- end }}
           {{- with fromJsonArray (include "traffic-manager.namespaces" $) }}
           {{- /*
            This environment variable it not used, it's here to force a redeploy of the traffic manager when the list
diff --git a/charts/telepresence-oss/values.yaml b/charts/telepresence-oss/values.yaml
@@ -197,6 +197,7 @@ agent:
   logLevel:
   resources: {}
   initResources: {}
+  initSecurityContext: {}
   appProtocolStrategy: http2Probe
   port: 9900
   image:
diff --git a/cmd/traffic/cmd/manager/managerutil/envconfig.go b/cmd/traffic/cmd/manager/managerutil/envconfig.go
@@ -48,20 +48,21 @@ type Env struct {
 	PodCIDRs        []netip.Prefix `env:"POD_CIDRS,         parser=split-ipnet, default="`
 	PodIP           netip.Addr     `env:"POD_IP,            parser=ip"`
 
-	AgentRegistry            string                      `env:"AGENT_REGISTRY,           parser=string,         default="`
-	AgentImageName           string                      `env:"AGENT_IMAGE_NAME,         parser=string,         default="`
-	AgentImageTag            string                      `env:"AGENT_IMAGE_TAG,          parser=string,         default="`
-	AgentImagePullPolicy     string                      `env:"AGENT_IMAGE_PULL_POLICY,  parser=string,         default="`
-	AgentImagePullSecrets    []core.LocalObjectReference `env:"AGENT_IMAGE_PULL_SECRETS, parser=json-local-refs,default="`
-	AgentInjectPolicy        agentconfig.InjectPolicy    `env:"AGENT_INJECT_POLICY,      parser=enable-policy,  default=Never"`
-	AgentAppProtocolStrategy k8sapi.AppProtocolStrategy  `env:"AGENT_APP_PROTO_STRATEGY, parser=app-proto-strategy, default=http2Probe"`
-	AgentLogLevel            string                      `env:"AGENT_LOG_LEVEL,          parser=logLevel,       defaultFrom=LogLevel"`
-	AgentPort                uint16                      `env:"AGENT_PORT,               parser=port-number,    default=0"`
-	AgentResources           *core.ResourceRequirements  `env:"AGENT_RESOURCES,          parser=json-resources, default="`
-	AgentInitResources       *core.ResourceRequirements  `env:"AGENT_INIT_RESOURCES,     parser=json-resources, default="`
-	AgentInjectorName        string                      `env:"AGENT_INJECTOR_NAME,      parser=string,         default="`
-	AgentInjectorSecret      string                      `env:"AGENT_INJECTOR_SECRET,    parser=string,         default="`
-	AgentSecurityContext     *core.SecurityContext       `env:"AGENT_SECURITY_CONTEXT,   parser=json-security-context, default="`
+	AgentRegistry            string                      `env:"AGENT_REGISTRY,                parser=string,         default="`
+	AgentImageName           string                      `env:"AGENT_IMAGE_NAME,              parser=string,         default="`
+	AgentImageTag            string                      `env:"AGENT_IMAGE_TAG,               parser=string,         default="`
+	AgentImagePullPolicy     string                      `env:"AGENT_IMAGE_PULL_POLICY,       parser=string,         default="`
+	AgentImagePullSecrets    []core.LocalObjectReference `env:"AGENT_IMAGE_PULL_SECRETS,      parser=json-local-refs,default="`
+	AgentInjectPolicy        agentconfig.InjectPolicy    `env:"AGENT_INJECT_POLICY,           parser=enable-policy,  default=Never"`
+	AgentAppProtocolStrategy k8sapi.AppProtocolStrategy  `env:"AGENT_APP_PROTO_STRATEGY,      parser=app-proto-strategy, default=http2Probe"`
+	AgentLogLevel            string                      `env:"AGENT_LOG_LEVEL,               parser=logLevel,       defaultFrom=LogLevel"`
+	AgentPort                uint16                      `env:"AGENT_PORT,                    parser=port-number,    default=0"`
+	AgentResources           *core.ResourceRequirements  `env:"AGENT_RESOURCES,               parser=json-resources, default="`
+	AgentInitResources       *core.ResourceRequirements  `env:"AGENT_INIT_RESOURCES,          parser=json-resources, default="`
+	AgentInjectorName        string                      `env:"AGENT_INJECTOR_NAME,           parser=string,         default="`
+	AgentInjectorSecret      string                      `env:"AGENT_INJECTOR_SECRET,         parser=string,         default="`
+	AgentSecurityContext     *core.SecurityContext       `env:"AGENT_SECURITY_CONTEXT,        parser=json-security-context, default="`
+	AgentInitSecurityContext *core.SecurityContext       `env:"AGENT_INIT_SECURITY_CONTEXT,   parser=json-security-context, default="`
 
 	ClientRoutingAlsoProxySubnets        []netip.Prefix `env:"CLIENT_ROUTING_ALSO_PROXY_SUBNETS,  		parser=split-ipnet, default="`
 	ClientRoutingNeverProxySubnets       []netip.Prefix `env:"CLIENT_ROUTING_NEVER_PROXY_SUBNETS, 		parser=split-ipnet, default="`
@@ -90,6 +91,7 @@ func (e *Env) GeneratorConfig(qualifiedAgentImage string) (agentmap.GeneratorCon
 		PullSecrets:         e.AgentImagePullSecrets,
 		AppProtocolStrategy: e.AgentAppProtocolStrategy,
 		SecurityContext:     e.AgentSecurityContext,
+		InitSecurityContext: e.AgentInitSecurityContext,
 	}, nil
 }
 
diff --git a/cmd/traffic/cmd/manager/mutator/agent_injector_test.go b/cmd/traffic/cmd/manager/mutator/agent_injector_test.go
@@ -1743,7 +1743,8 @@ matchExpressions:
 							Replace:    agentconfig.ReplacePolicyIntercept,
 						},
 					},
-					SecurityContext: nil,
+					SecurityContext:     nil,
+					InitSecurityContext: nil,
 				}),
 				Spec: core.PodSpec{
 					InitContainers: []core.Container{{
diff --git a/pkg/agentconfig/container.go b/pkg/agentconfig/container.go
@@ -277,6 +277,9 @@ func InitContainer(config *Sidecar) *core.Container {
 	if r := config.InitResources; r != nil {
 		ic.Resources = *r
 	}
+	if s := config.InitSecurityContext; s != nil {
+		ic.SecurityContext = s
+	}
 	return ic
 }
 
diff --git a/pkg/agentconfig/sidecar.go b/pkg/agentconfig/sidecar.go
@@ -191,6 +191,9 @@ type Sidecar struct {
 
 	// SecurityContext for the sidecar
 	SecurityContext *core.SecurityContext `json:"securityContext,omitempty"`
+
+	// InitSecurityContext is the SecurityContext for the initContainer sidecar
+	InitSecurityContext *core.SecurityContext `json:"initSecurityContext,omitempty"`
 }
 
 func (s *Sidecar) AgentConfig() *Sidecar {
@@ -249,19 +252,22 @@ func MarshalTight(s SidecarExt) (string, error) {
 	ps := ac.PullSecrets
 	ir := ac.InitResources
 	sc := ac.SecurityContext
+	is := ac.InitSecurityContext
 
 	ac.AgentImage = ""
 	ac.PullPolicy = ""
 	ac.PullSecrets = nil
 	ac.InitResources = nil
 	ac.SecurityContext = nil
+	ac.InitSecurityContext = nil
 
 	data, err := json.Marshal(s)
 	ac.AgentImage = ai
 	ac.PullPolicy = pp
 	ac.PullSecrets = ps
 	ac.InitResources = ir
 	ac.SecurityContext = sc
+	ac.InitSecurityContext = is
 
 	if err != nil {
 		return "", err
diff --git a/pkg/agentmap/generator.go b/pkg/agentmap/generator.go
@@ -56,6 +56,7 @@ type BasicGeneratorConfig struct {
 	PullSecrets         []core.LocalObjectReference
 	AppProtocolStrategy k8sapi.AppProtocolStrategy
 	SecurityContext     *core.SecurityContext
+	InitSecurityContext *core.SecurityContext
 }
 
 func portsFromContainerPortsAnnotation(wl k8sapi.Workload) (ports []agentconfig.PortIdentifier, err error) {
@@ -194,21 +195,22 @@ func (cfg *BasicGeneratorConfig) Generate(
 	}
 
 	return &agentconfig.Sidecar{
-		AgentImage:      cfg.QualifiedAgentImage,
-		AgentName:       wl.GetName(),
-		LogLevel:        cfg.LogLevel,
-		Namespace:       wl.GetNamespace(),
-		WorkloadName:    wl.GetName(),
-		WorkloadKind:    wl.GetKind(),
-		ManagerHost:     ManagerAppName + "." + cfg.ManagerNamespace,
-		ManagerPort:     cfg.ManagerPort,
-		APIPort:         cfg.APIPort,
-		Containers:      ccs,
-		InitResources:   cfg.InitResources,
-		Resources:       cfg.Resources,
-		PullPolicy:      cfg.PullPolicy,
-		PullSecrets:     cfg.PullSecrets,
-		SecurityContext: cfg.SecurityContext,
+		AgentImage:          cfg.QualifiedAgentImage,
+		AgentName:           wl.GetName(),
+		LogLevel:            cfg.LogLevel,
+		Namespace:           wl.GetNamespace(),
+		WorkloadName:        wl.GetName(),
+		WorkloadKind:        wl.GetKind(),
+		ManagerHost:         ManagerAppName + "." + cfg.ManagerNamespace,
+		ManagerPort:         cfg.ManagerPort,
+		APIPort:             cfg.APIPort,
+		Containers:          ccs,
+		InitResources:       cfg.InitResources,
+		Resources:           cfg.Resources,
+		PullPolicy:          cfg.PullPolicy,
+		PullSecrets:         cfg.PullSecrets,
+		SecurityContext:     cfg.SecurityContext,
+		InitSecurityContext: cfg.InitSecurityContext,
 	}, nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -277,6 +277,9 @@ func InitContainer(config Sidecar) core.Container {`
`277`	`277`	`if r := config.InitResources; r != nil {`
`278`	`278`	`ic.Resources = *r`
`279`	`279`	`}`
	`280`	`+ if s := config.InitSecurityContext; s != nil {`
	`281`	`+ ic.SecurityContext = s`
	`282`	`+ }`
`280`	`283`	`return ic`
`281`	`284`	`}`
`282`	`285`