fix: default init container securitycontext as recommended

smehboub · smehboub · commit 6e7fa640b526 · 2025-02-23T15:14:49.000+01:00
Signed-off-by: Sophian Mehboub &lt;sophienmehboub@gmail.com&gt;
diff --git a/cmd/traffic/cmd/manager/mutator/agent_injector.go b/cmd/traffic/cmd/manager/mutator/agent_injector.go
@@ -258,7 +258,8 @@ func addInitContainer(pod *core.Pod, config *agentconfig.Sidecar, patches PatchO
 		if ic.Name == oc.Name {
 			if ic.Image == oc.Image &&
 				slices.Equal(ic.Args, oc.Args) &&
-				compareVolumeMounts(ic.VolumeMounts, oc.VolumeMounts) {
+				compareVolumeMounts(ic.VolumeMounts, oc.VolumeMounts) &&
+				compareCapabilities(ic.SecurityContext, oc.SecurityContext) {
 				return patches
 			}
 			return append(patches, PatchOperation{
@@ -323,6 +324,29 @@ func compareProbes(a, b *core.Probe) bool {
 	return eq
 }
 
+func compareCapabilities(a *core.SecurityContext, b *core.SecurityContext) bool {
+	ac := a.Capabilities
+	bc := b.Capabilities
+	if ac == bc {
+		return true
+	}
+	if ac == nil || bc == nil {
+		return false
+	}
+	compareCaps := func(acs []core.Capability, bcs []core.Capability) bool {
+		if len(acs) != len(bcs) {
+			return false
+		}
+		for i := range acs {
+			if acs[i] != bcs[i] {
+				return false
+			}
+		}
+		return true
+	}
+	return compareCaps(ac.Add, bc.Add) && compareCaps(ac.Drop, bc.Drop)
+}
+
 // compareVolumeMounts compares two VolumeMount slices but will not include volume mounts using "kube-api-access-" prefix.
 func compareVolumeMounts(a, b []core.VolumeMount) bool {
 	stripKubeAPI := func(vs []core.VolumeMount) []core.VolumeMount {
diff --git a/cmd/traffic/cmd/manager/mutator/agent_injector_test.go b/cmd/traffic/cmd/manager/mutator/agent_injector_test.go
@@ -1518,6 +1518,10 @@ matchExpressions:
     image: ghcr.io/telepresenceio/tel2:2.13.3
     name: tel-agent-init
     resources: {}
+    securityContext:
+      capabilities:
+        add:
+        - NET_ADMIN
 - op: add
   path: /spec/containers/-
   value:
@@ -1631,6 +1635,10 @@ matchExpressions:
     image: ghcr.io/telepresenceio/tel2:2.13.3
     name: tel-agent-init
     resources: {}
+    securityContext:
+      capabilities:
+        add:
+        - NET_ADMIN
 - op: add
   path: /spec/containers/-
   value:
@@ -1766,6 +1774,11 @@ matchExpressions:
 								},
 							},
 						},
+						SecurityContext: &core.SecurityContext{
+							Capabilities: &core.Capabilities{
+								Add: []core.Capability{"NET_ADMIN"},
+							},
+						},
 					}},
 					Containers: []core.Container{
 						{
diff --git a/pkg/agentconfig/container.go b/pkg/agentconfig/container.go
@@ -268,6 +268,11 @@ func InitContainer(config *Sidecar) *core.Container {
 				},
 			},
 		},
+		SecurityContext: &core.SecurityContext{
+			Capabilities: &core.Capabilities{
+				Add: []core.Capability{"NET_ADMIN"},
+			},
+		},
 	}
 	if r := config.InitResources; r != nil {
 		ic.Resources = *r
