From dd72c7eb885c7d7bb86556fe7fc9a6afb515281d Mon Sep 17 00:00:00 2001 From: jshr-w Date: Tue, 28 May 2024 16:55:02 -0700 Subject: [PATCH 1/2] update cil-operator security context --- .../cilium-operator/templates/deployment.yaml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/test/integration/manifests/cilium/v1.13/cilium-operator/templates/deployment.yaml b/test/integration/manifests/cilium/v1.13/cilium-operator/templates/deployment.yaml index 2842221eee..cdc0e79d83 100644 --- a/test/integration/manifests/cilium/v1.13/cilium-operator/templates/deployment.yaml +++ b/test/integration/manifests/cilium/v1.13/cilium-operator/templates/deployment.yaml @@ -60,6 +60,44 @@ spec: containerPort: 9963 hostPort: 9963 protocol: TCP + securityContext: + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + add: + # Use to set socket permission + - CHOWN + # Used to terminate envoy child process + - KILL + # Used since cilium modifies routing tables, etc... + - NET_ADMIN + # Used since cilium creates raw sockets, etc... + - NET_RAW + # Used since cilium monitor uses mmap + - IPC_LOCK + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC + - SYS_RESOURCE + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + drop: + - ALL livenessProbe: httpGet: host: "127.0.0.1" From f6445af37a813b2754d3aef1a4bede1046bc4bd0 Mon Sep 17 00:00:00 2001 From: jshr-w Date: Wed, 29 May 2024 13:26:21 -0700 Subject: [PATCH 2/2] add security context to 1.14 template --- .../cilium-operator/templates/deployment.yaml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/test/integration/manifests/cilium/v1.14/cilium-operator/templates/deployment.yaml b/test/integration/manifests/cilium/v1.14/cilium-operator/templates/deployment.yaml index 2842221eee..cdc0e79d83 100644 --- a/test/integration/manifests/cilium/v1.14/cilium-operator/templates/deployment.yaml +++ b/test/integration/manifests/cilium/v1.14/cilium-operator/templates/deployment.yaml @@ -60,6 +60,44 @@ spec: containerPort: 9963 hostPort: 9963 protocol: TCP + securityContext: + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + add: + # Use to set socket permission + - CHOWN + # Used to terminate envoy child process + - KILL + # Used since cilium modifies routing tables, etc... + - NET_ADMIN + # Used since cilium creates raw sockets, etc... + - NET_RAW + # Used since cilium monitor uses mmap + - IPC_LOCK + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC + - SYS_RESOURCE + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + drop: + - ALL livenessProbe: httpGet: host: "127.0.0.1"