add share-process-namespace annotation

hashicorp · Apr 21, 2022 · 12055c3 · 12055c3
1 parent c25fcef
commit 12055c3
Show file tree

Hide file tree

Showing 6 changed files with 92 additions and 0 deletions.
diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go
@@ -21,6 +21,7 @@ const (
 	DefaultAgentRunAsUser                   = 100
 	DefaultAgentRunAsGroup                  = 1000
 	DefaultAgentRunAsSameUser               = false
+	DefaultAgentShareProcessNamespace       = false
 	DefaultAgentAllowPrivilegeEscalation    = false
 	DefaultAgentDropCapabilities            = "ALL"
 	DefaultAgentSetSecurityContext          = true
@@ -135,6 +136,9 @@ type Agent struct {
 	// same as the first application container
 	RunAsSameID bool
 
+	// ShareProcessNamespace sets the shareProcessNamespace value on the pod spec.
+	ShareProcessNamespace bool
+
 	// SetSecurityContext controls whether the injected containers have a
 	// SecurityContext set.
 	SetSecurityContext bool
@@ -400,6 +404,11 @@ func New(pod *corev1.Pod, patches []*jsonpatch.JsonPatchOperation) (*Agent, erro
 		return agent, err
 	}
 
+	agent.ShareProcessNamespace, err = agent.setShareProcessNamespace(pod)
+	if err != nil {
+		return agent, err
+	}
+
 	agent.SetSecurityContext, err = agent.setSecurityContext()
 	if err != nil {
 		return agent, err
@@ -591,6 +600,10 @@ func (a *Agent) Patch() ([]byte, error) {
 				a.ContainerVolumeMounts(),
 				fmt.Sprintf("/spec/initContainers/%d/volumeMounts", i))...)
 		}
+
+		// Add sharedProcessNamespace
+		a.Patches = append(a.Patches, updateShareProcessNamespace(
+			a.ShareProcessNamespace)...)
 	}
 
 	// Sidecar Container

diff --git a/agent-inject/agent/annotations.go b/agent-inject/agent/annotations.go
@@ -149,6 +149,9 @@ const (
 	// Pod Spec.
 	AnnotationAgentRunAsSameUser = "vault.hashicorp.com/agent-run-as-same-user"
 
+	// AnnotationAgentShareProcessNamespace sets the shareProcessNamespace value on the pod spec.
+	AnnotationAgentShareProcessNamespace = "vault.hashicorp.com/agent-share-process-namespace"
+
 	// AnnotationAgentSetSecurityContext controls whether a SecurityContext (uid
 	// and gid) is set on the injected Vault Agent containers
 	AnnotationAgentSetSecurityContext = "vault.hashicorp.com/agent-set-security-context"
@@ -272,6 +275,7 @@ type AgentConfig struct {
 	GroupID                    string
 	SameID                     bool
 	SetSecurityContext         bool
+	ShareProcessNamespace      bool
 	ProxyAddress               string
 	DefaultTemplate            string
 	ResourceRequestCPU         string
@@ -290,6 +294,7 @@ func Init(pod *corev1.Pod, cfg AgentConfig) error {
 	var runAsUserIsSet bool
 	var runAsSameUserIsSet bool
 	var runAsGroupIsSet bool
+	var shareProcessNamespaceIsSet bool
 
 	if pod == nil {
 		return errors.New("pod is empty")
@@ -397,6 +402,10 @@ func Init(pod *corev1.Pod, cfg AgentConfig) error {
 		pod.ObjectMeta.Annotations[AnnotationAgentRunAsSameUser] = strconv.FormatBool(cfg.SameID)
 	}
 
+	if _, shareProcessNamespaceIsSet = pod.ObjectMeta.Annotations[AnnotationAgentShareProcessNamespace]; !shareProcessNamespaceIsSet {
+		pod.ObjectMeta.Annotations[AnnotationAgentShareProcessNamespace] = strconv.FormatBool(cfg.ShareProcessNamespace)
+	}
+
 	if _, runAsGroupIsSet = pod.ObjectMeta.Annotations[AnnotationAgentRunAsGroup]; !runAsGroupIsSet {
 		if cfg.GroupID == "" {
 			cfg.GroupID = strconv.Itoa(DefaultAgentRunAsGroup)
@@ -622,6 +631,23 @@ func (a *Agent) runAsSameID(pod *corev1.Pod) (bool, error) {
 	return runAsSameID, nil
 }
 
+func (a *Agent) setShareProcessNamespace(pod *corev1.Pod) (bool, error) {
+	raw, ok := a.Annotations[AnnotationAgentShareProcessNamespace]
+	if !ok {
+		return DefaultAgentShareProcessNamespace, nil
+	}
+	shareProcessNamespace, err := strconv.ParseBool(raw)
+	if err != nil {
+		return DefaultAgentShareProcessNamespace, err
+	}
+	if pod.Spec.ShareProcessNamespace != nil {
+		if *pod.Spec.ShareProcessNamespace == false && shareProcessNamespace == true {
+			return DefaultAgentShareProcessNamespace, errors.New("Will not override shareProcessNamespace already set to false")
+		}
+	}
+	return strconv.ParseBool(raw)
+}
+
 func (a *Agent) setSecurityContext() (bool, error) {
 	raw, ok := a.Annotations[AnnotationAgentSetSecurityContext]
 	if !ok {

diff --git a/agent-inject/agent/annotations_test.go b/agent-inject/agent/annotations_test.go
@@ -93,6 +93,7 @@ func TestInitDefaults(t *testing.T) {
 		{annotationKey: AnnotationAgentImage, annotationValue: DefaultVaultImage},
 		{annotationKey: AnnotationAgentRunAsUser, annotationValue: strconv.Itoa(DefaultAgentRunAsUser)},
 		{annotationKey: AnnotationAgentRunAsGroup, annotationValue: strconv.Itoa(DefaultAgentRunAsGroup)},
+		{annotationKey: AnnotationAgentShareProcessNamespace, annotationValue: strconv.FormatBool(DefaultAgentShareProcessNamespace)},
 	}
 
 	for _, tt := range tests {
@@ -716,6 +717,14 @@ func TestCouldErrorAnnotations(t *testing.T) {
 		{AnnotationAgentRunAsGroup, "100", true},
 		{AnnotationAgentRunAsGroup, "root", false},
 
+		{AnnotationAgentShareProcessNamespace, "true", true},
+		{AnnotationAgentShareProcessNamespace, "false", true},
+		{AnnotationAgentShareProcessNamespace, "TRUE", true},
+		{AnnotationAgentShareProcessNamespace, "FALSE", true},
+		{AnnotationAgentShareProcessNamespace, "tRuE", false},
+		{AnnotationAgentShareProcessNamespace, "fAlSe", false},
+		{AnnotationAgentShareProcessNamespace, "", false},
+
 		{AnnotationAgentSetSecurityContext, "true", true},
 		{AnnotationAgentSetSecurityContext, "false", true},
 		{AnnotationAgentSetSecurityContext, "secure", false},
@@ -975,6 +984,7 @@ func TestInjectContainers(t *testing.T) {
 				{Operation: "add", Path: "/spec/containers/1/volumeMounts/-"},
 				{Operation: "add", Path: "/spec/containers/2/volumeMounts/-"},
 				{Operation: "add", Path: "/spec/initContainers"},
+				{Operation: "add", Path: "/spec/shareProcessNamespace"},
 				{Operation: "add", Path: "/spec/containers/-"},
 				{Operation: "add", Path: "/metadata/annotations/" + EscapeJSONPointer(AnnotationAgentStatus)},
 			},
@@ -989,6 +999,7 @@ func TestInjectContainers(t *testing.T) {
 				{Operation: "add", Path: "/spec/volumes"},
 				{Operation: "add", Path: "/spec/containers/1/volumeMounts/-"},
 				{Operation: "add", Path: "/spec/initContainers"},
+				{Operation: "add", Path: "/spec/shareProcessNamespace"},
 				{Operation: "add", Path: "/spec/containers/-"},
 				{Operation: "add", Path: "/metadata/annotations/" + EscapeJSONPointer(AnnotationAgentStatus)},
 			},
@@ -1004,6 +1015,7 @@ func TestInjectContainers(t *testing.T) {
 				{Operation: "add", Path: "/spec/containers/1/volumeMounts/-"},
 				{Operation: "add", Path: "/spec/containers/2/volumeMounts/-"},
 				{Operation: "add", Path: "/spec/initContainers"},
+				{Operation: "add", Path: "/spec/shareProcessNamespace"},
 				{Operation: "add", Path: "/spec/containers/-"},
 				{Operation: "add", Path: "/metadata/annotations/" + EscapeJSONPointer(AnnotationAgentStatus)},
 			},

diff --git a/agent-inject/agent/patch.go b/agent-inject/agent/patch.go
@@ -111,6 +111,17 @@ func updateAnnotations(target, annotations map[string]string) []*jsonpatch.JsonP
 	return result
 }
 
+func updateShareProcessNamespace(shareProcessNamespace bool) []*jsonpatch.JsonPatchOperation {
+	var result []*jsonpatch.JsonPatchOperation
+	result = append(result, &jsonpatch.JsonPatchOperation{
+		Operation: "add",
+		Path:      "/spec/shareProcessNamespace",
+		Value:     shareProcessNamespace,
+	})
+
+	return result
+}
+
 // EscapeJSONPointer escapes a JSON string to be compliant with the
 // JavaScript Object Notation (JSON) Pointer syntax RFC:
 // https://tools.ietf.org/html/rfc6901.

diff --git a/agent-inject/handler.go b/agent-inject/handler.go
@@ -56,6 +56,7 @@ type Handler struct {
 	UserID                     string
 	GroupID                    string
 	SameID                     bool
+	ShareProcessNamespace      bool
 	SetSecurityContext         bool
 	DefaultTemplate            string
 	ResourceRequestCPU         string
@@ -187,6 +188,7 @@ func (h *Handler) Mutate(req *admissionv1.AdmissionRequest) *admissionv1.Admissi
 		GroupID:                    h.GroupID,
 		SameID:                     h.SameID,
 		SetSecurityContext:         h.SetSecurityContext,
+		ShareProcessNamespace:      h.ShareProcessNamespace,
 		DefaultTemplate:            h.DefaultTemplate,
 		ResourceRequestCPU:         h.ResourceRequestCPU,
 		ResourceRequestMem:         h.ResourceRequestMem,

diff --git a/agent-inject/handler_test.go b/agent-inject/handler_test.go
@@ -174,6 +174,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/initContainers/0/volumeMounts/-",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/shareProcessNamespace",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/containers/-",
@@ -235,6 +239,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/initContainers/1/volumeMounts/-",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/shareProcessNamespace",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/containers/-",
@@ -291,6 +299,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/initContainers/0/volumeMounts/-",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/shareProcessNamespace",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/containers/-",
@@ -352,6 +364,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/initContainers/0/volumeMounts/-",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/shareProcessNamespace",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/containers/-",
@@ -409,6 +425,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/initContainers/0/volumeMounts/-",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/shareProcessNamespace",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/containers/-",
@@ -509,6 +529,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/initContainers/0/volumeMounts/-",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/shareProcessNamespace",
+				},
 				{
 					Operation: "add",
 					Path:      "/metadata/annotations/" + agent.EscapeJSONPointer(agent.AnnotationAgentStatus),
@@ -558,6 +582,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/initContainers/0/volumeMounts/-",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/shareProcessNamespace",
+				},
 				{
 					Operation: "add",
 					Path:      "/spec/containers/-",