NET-5186 Allow dataplane container to bind to privileged ports #238

nathancoleman · 2023-08-11T19:08:25Z

Describe the issue

Consul-dataplane is currently unable to bind to privileged ports (< 1024).

This is important for ingress-gateway use cases where customers have historically been able to bind to ports such as 443 and are encountering runtime failures when attempting to upgrade to Consul 1.15+ and the corresponding Helm chart versions. In these newer versions, consul-dataplane has taken the place of the envoyproxy/envoy containers that were used previously.

Example of failure:

[warning] envoy.config(13) delta config for type.googleapis.com/envoy.config.listener.v3.Listener rejected: Error adding/updating listener(s) http:0.0.0.0:443: cannot bind '0.0.0.0:443': Permission denied

Describe the fix

It appears that Envoy containers, which consul-dataplane has replaced for ingress-gateway use cases, run as root and then use su-exec to run as a different user. I'm thinking that we can set the NET_BIND_SERVICE capability directly on the Envoy and dataplane binaries and avoid starting up as root, but I'm depending on my own testing and reviewers here to validate this.

The consul-dataplane container still needs to function correctly when deployed into OpenShift
The consul-dataplane container still needs to function correctly with Set privileged to false unless on OpenShift without CNI consul-k8s#2755

This PR adds a new stage to set the net_bind_service capability on the Envoy and dataplane binaries that are copied into the release image. The final images then copy their Envoy and dataplane binaries from this new stage instead of their previous source.

How to test

Create an ingress-gateway that binds to a privileged port, such as 443 (see example values below)
- Before this change, the consul-dataplane container will appear healthy but spew logs containing the error below
- After this change, the consul-dataplane container will appear healthy, and the logs will indicate successful xDS config
Do the same testing on OpenShift to verify no negative impact

Example `values.yaml`

global:
  name: consul
  logLevel: debug

connectInject:
  replicas: 1
  enabled: true

server:
  replicas: 3

ingressGateways:
  enabled: true
  gateways:
    - name: my-ingress
      service:
        type: LoadBalancer
        ports:
          - port: 443

nathancoleman · 2023-08-17T19:18:09Z

Dockerfile

@@ -22,7 +36,8 @@ RUN apk add dumb-init
 # -----------------------------------
 FROM gcr.io/distroless/base-debian11 AS release-default

-ARG BIN_NAME
+ARG BIN_NAME=consul-dataplane


Defaulting these for building locally like we do in consul-k8s

curtbushko

Thanks Nathan!

For other reviewers: we had hours upon hours of back and forth discussions on how to do this and this 'setcap' method was the best of all horrible ways to solve this problem.

We couldn't setcap at runtime since we are running a distroless image (no shell to run the setcap command...).

NET-5186 Allow dataplane container to bind to privileged ports

…ports into release/1.0.x (#248) Merge pull request #238 from hashicorp/distroless-capabilities NET-5186 Allow dataplane container to bind to privileged ports Co-authored-by: Nathan Coleman <[email protected]>

NET-5186 Allow dataplane container to bind to privileged ports

…ports into release/1.2.x (#247) Merge pull request #238 from hashicorp/distroless-capabilities NET-5186 Allow dataplane container to bind to privileged ports Co-authored-by: Nathan Coleman <[email protected]>

nathancoleman changed the base branch from main to release/1.1.x August 11, 2023 19:08

nathancoleman force-pushed the distroless-capabilities branch from 35acafb to cf3a827 Compare August 11, 2023 22:15

nathancoleman changed the title ~~Allow dataplane container to bind to privileged ports~~ NET-5186 Allow dataplane container to bind to privileged ports Aug 11, 2023

nathancoleman requested a review from david-yu August 17, 2023 18:46

This was referenced Aug 17, 2023

NET-5186 Add NET_BIND_SERVICE capability to Consul's restricted securityContext hashicorp/consul-k8s#2787

Merged

NET-5186 Add NET_BIND_SERVICE capability to consul-dataplane requirements hashicorp/consul#18512

Merged

nathancoleman requested a review from picatz August 17, 2023 19:14

nathancoleman commented Aug 17, 2023

View reviewed changes

nathancoleman added 2 commits August 21, 2023 13:18

Set bind capability on Envoy binary

8980bfb

Set capability on dataplane process as well

a4dd9a9

nathancoleman force-pushed the distroless-capabilities branch from 9941048 to a4dd9a9 Compare August 21, 2023 17:18

nathancoleman changed the base branch from release/1.1.x to main August 21, 2023 17:19

nathancoleman added backport/1.0 backport/1.1 Changes are backported to 1.1 labels Aug 21, 2023

Add changelog entry

9ffea3f

nathancoleman marked this pull request as ready for review August 21, 2023 17:26

nathancoleman requested a review from a team as a code owner August 21, 2023 17:26

nathancoleman requested review from curtbushko, DanStough, zalimeni and wilkermichael and removed request for a team and DanStough August 21, 2023 18:00

curtbushko approved these changes Aug 23, 2023

View reviewed changes

david-yu approved these changes Aug 24, 2023

View reviewed changes

nathancoleman merged commit da6bf68 into main Aug 24, 2023

nathancoleman deleted the distroless-capabilities branch August 24, 2023 20:32

hc-github-team-consul-core mentioned this pull request Aug 24, 2023

Backport of NET-5186 Add NET_BIND_SERVICE capability to Consul's restricted securityContext into release/1.2.x hashicorp/consul-k8s#2839

Merged

2 tasks

nathancoleman added a commit that referenced this pull request Aug 25, 2023

Merge pull request #238 from hashicorp/distroless-capabilities

fd96d47

NET-5186 Allow dataplane container to bind to privileged ports

nathancoleman added backport/1.0 backport/1.1 Changes are backported to 1.1 and removed backport/1.0 backport/1.1 Changes are backported to 1.1 labels Aug 25, 2023

nathancoleman added a commit that referenced this pull request Aug 25, 2023

Merge pull request #238 from hashicorp/distroless-capabilities

0adf59c

NET-5186 Allow dataplane container to bind to privileged ports

nathancoleman added a commit that referenced this pull request Aug 25, 2023

Merge pull request #238 from hashicorp/distroless-capabilities

6f9edfe

NET-5186 Allow dataplane container to bind to privileged ports

nathancoleman mentioned this pull request Aug 30, 2023

NET-5186 Fix issue where consul-dataplane attempts to write to a read-only file system location #253

Merged

nathancoleman mentioned this pull request Oct 12, 2023

NET-5947 Add NET_BIND_SERVICE capability in security context for api-gateway pod on OpenShift hashicorp/consul-k8s#3070

Merged

2 tasks

hc-github-team-consul-core mentioned this pull request Oct 12, 2023

Backport of NET-5947 Add NET_BIND_SERVICE capability in security context for api-gateway pod on OpenShift into release/1.2.x hashicorp/consul-k8s#3076

Merged

2 tasks

missylbytes mentioned this pull request Feb 5, 2024

Add NET_BIND_SERVICE to the security context in the deployment of Mesh Gateway (NET-6463) hashicorp/consul-k8s#3549

Merged

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

NET-5186 Allow dataplane container to bind to privileged ports #238

NET-5186 Allow dataplane container to bind to privileged ports #238

nathancoleman commented Aug 11, 2023 •

edited

Loading

nathancoleman Aug 17, 2023

curtbushko left a comment

NET-5186 Allow dataplane container to bind to privileged ports #238

NET-5186 Allow dataplane container to bind to privileged ports #238

Conversation

nathancoleman commented Aug 11, 2023 • edited Loading

Describe the issue

Describe the fix

How to test

nathancoleman Aug 17, 2023

Choose a reason for hiding this comment

curtbushko left a comment

Choose a reason for hiding this comment

nathancoleman commented Aug 11, 2023 •

edited

Loading