add support for enabling shareProcessNamespace

agent-inject/agent/agent.go

@@ -19,6 +19,7 @@ const (
 	DefaultAgentRunAsUser                   = 100
 	DefaultAgentRunAsGroup                  = 1000
 	DefaultAgentRunAsSameUser               = false
+	DefaultAgentShareProcessNamespace       = false
 	DefaultAgentAllowPrivilegeEscalation    = false
 	DefaultAgentDropCapabilities            = "ALL"
 	DefaultAgentSetSecurityContext          = true
@@ -137,6 +138,9 @@ type Agent struct {
 	// same as the first application container
 	RunAsSameID bool
 
+	// ShareProcessNamespace sets the shareProcessNamespace value on the pod spec.
+	ShareProcessNamespace bool
+
 	// SetSecurityContext controls whether the injected containers have a
 	// SecurityContext set.
 	SetSecurityContext bool
@@ -433,6 +437,11 @@ func New(pod *corev1.Pod) (*Agent, error) {
 		return agent, err
 	}
 
+	agent.ShareProcessNamespace, err = agent.setShareProcessNamespace(pod)
+	if err != nil {
+		return agent, err
+	}
+
 	agent.SetSecurityContext, err = agent.setSecurityContext()
 	if err != nil {
 		return agent, err
@@ -607,7 +616,7 @@ func (a *Agent) Patch() ([]byte, error) {
 		// to run first.
 		if a.InitFirst {
 
-			// Remove all init containers from the document so we can re-add them after the agent.
+			// Remove all init containers from the document, so we can re-add them after the agent.
 			if len(a.Pod.Spec.InitContainers) != 0 {
 				patches = append(patches, removeContainers("/spec/initContainers")...)
 			}
@@ -636,6 +645,9 @@ func (a *Agent) Patch() ([]byte, error) {
 				a.ContainerVolumeMounts(),
 				fmt.Sprintf("/spec/initContainers/%d/volumeMounts", i))...)
 		}
+
+		// Add shareProcessNamespace
+		patches = append(patches, updateShareProcessNamespace(a.ShareProcessNamespace)...)
 	}
 
 	// Sidecar Container

agent-inject/agent/annotations.go

@@ -156,6 +156,9 @@ const (
 	// Pod Spec.
 	AnnotationAgentRunAsSameUser = "vault.hashicorp.com/agent-run-as-same-user"
 
+	// AnnotationAgentShareProcessNamespace sets the shareProcessNamespace value on the pod spec.
+	AnnotationAgentShareProcessNamespace = "vault.hashicorp.com/agent-share-process-namespace"
+
 	// AnnotationAgentSetSecurityContext controls whether a SecurityContext (uid
 	// and gid) is set on the injected Vault Agent containers
 	AnnotationAgentSetSecurityContext = "vault.hashicorp.com/agent-set-security-context"
@@ -312,6 +315,7 @@ type AgentConfig struct {
 	GroupID                    string
 	SameID                     bool
 	SetSecurityContext         bool
+	ShareProcessNamespace      bool
 	ProxyAddress               string
 	DefaultTemplate            string
 	ResourceRequestCPU         string
@@ -336,6 +340,7 @@ func Init(pod *corev1.Pod, cfg AgentConfig) error {
 	var runAsUserIsSet bool
 	var runAsSameUserIsSet bool
 	var runAsGroupIsSet bool
+	var shareProcessNamespaceIsSet bool
 
 	if pod == nil {
 		return errors.New("pod is empty")
@@ -455,6 +460,10 @@ func Init(pod *corev1.Pod, cfg AgentConfig) error {
 		pod.ObjectMeta.Annotations[AnnotationAgentRunAsSameUser] = strconv.FormatBool(cfg.SameID)
 	}
 
+	if _, shareProcessNamespaceIsSet = pod.ObjectMeta.Annotations[AnnotationAgentShareProcessNamespace]; !shareProcessNamespaceIsSet {
+		pod.ObjectMeta.Annotations[AnnotationAgentShareProcessNamespace] = strconv.FormatBool(cfg.ShareProcessNamespace)
+	}
+
 	if _, runAsGroupIsSet = pod.ObjectMeta.Annotations[AnnotationAgentRunAsGroup]; !runAsGroupIsSet {
 		if cfg.GroupID == "" {
 			cfg.GroupID = strconv.Itoa(DefaultAgentRunAsGroup)
@@ -736,6 +745,23 @@ func (a *Agent) runAsSameID(pod *corev1.Pod) (bool, error) {
 	return runAsSameID, nil
 }
 
+func (a *Agent) setShareProcessNamespace(pod *corev1.Pod) (bool, error) {
+	raw, ok := a.Annotations[AnnotationAgentShareProcessNamespace]
+	if !ok {
+		return DefaultAgentShareProcessNamespace, nil
+	}
+	shareProcessNamespace, err := strconv.ParseBool(raw)
+	if err != nil {
+		return DefaultAgentShareProcessNamespace, err
+	}
+	if pod.Spec.ShareProcessNamespace != nil {
+		if *pod.Spec.ShareProcessNamespace == false && shareProcessNamespace == true {
+			return DefaultAgentShareProcessNamespace, errors.New("Will not override shareProcessNamespace already set to false")
+		}
+	}
+	return strconv.ParseBool(raw)
+}
+
 func (a *Agent) setSecurityContext() (bool, error) {
 	raw, ok := a.Annotations[AnnotationAgentSetSecurityContext]
 	if !ok {

agent-inject/agent/annotations_test.go

@@ -94,6 +94,7 @@ func TestInitDefaults(t *testing.T) {
 		{annotationKey: AnnotationAgentImage, annotationValue: DefaultVaultImage},
 		{annotationKey: AnnotationAgentRunAsUser, annotationValue: strconv.Itoa(DefaultAgentRunAsUser)},
 		{annotationKey: AnnotationAgentRunAsGroup, annotationValue: strconv.Itoa(DefaultAgentRunAsGroup)},
+		{annotationKey: AnnotationAgentShareProcessNamespace, annotationValue: strconv.FormatBool(DefaultAgentShareProcessNamespace)},
 	}
 
 	for _, tt := range tests {
@@ -704,6 +705,14 @@ func TestCouldErrorAnnotations(t *testing.T) {
 		{AnnotationAgentRunAsGroup, "100", true},
 		{AnnotationAgentRunAsGroup, "root", false},
 
+		{AnnotationAgentShareProcessNamespace, "true", true},
+		{AnnotationAgentShareProcessNamespace, "false", true},
+		{AnnotationAgentShareProcessNamespace, "TRUE", true},
+		{AnnotationAgentShareProcessNamespace, "FALSE", true},
+		{AnnotationAgentShareProcessNamespace, "tRuE", false},
+		{AnnotationAgentShareProcessNamespace, "fAlSe", false},
+		{AnnotationAgentShareProcessNamespace, "", false},
+
 		{AnnotationAgentSetSecurityContext, "true", true},
 		{AnnotationAgentSetSecurityContext, "false", true},
 		{AnnotationAgentSetSecurityContext, "secure", false},
@@ -976,6 +985,7 @@ func TestInjectContainers(t *testing.T) {
 				internal.AddOp("/spec/containers/1/volumeMounts/-", nil),
 				internal.AddOp("/spec/containers/2/volumeMounts/-", nil),
 				internal.AddOp("/spec/initContainers", nil),
+				internal.AddOp("/spec/shareProcessNamespace", nil),
 				internal.AddOp("/spec/containers/-", nil),
 				internal.AddOp("/metadata/annotations/"+internal.EscapeJSONPointer(AnnotationAgentStatus), nil),
 			},
@@ -990,6 +1000,7 @@ func TestInjectContainers(t *testing.T) {
 				internal.AddOp("/spec/volumes", nil),
 				internal.AddOp("/spec/containers/1/volumeMounts/-", nil),
 				internal.AddOp("/spec/initContainers", nil),
+				internal.AddOp("/spec/shareProcessNamespace", nil),
 				internal.AddOp("/spec/containers/-", nil),
 				internal.AddOp("/metadata/annotations/"+internal.EscapeJSONPointer(AnnotationAgentStatus), nil),
 			},
@@ -1005,6 +1016,7 @@ func TestInjectContainers(t *testing.T) {
 				internal.AddOp("/spec/containers/1/volumeMounts/-", nil),
 				internal.AddOp("/spec/containers/2/volumeMounts/-", nil),
 				internal.AddOp("/spec/initContainers", nil),
+				internal.AddOp("/spec/shareProcessNamespace", nil),
 				internal.AddOp("/spec/containers/-", nil),
 				internal.AddOp("/metadata/annotations/"+internal.EscapeJSONPointer(AnnotationAgentStatus), nil),
 			},

agent-inject/agent/patch.go

@@ -82,3 +82,9 @@ func updateAnnotations(target, annotations map[string]string) jsonpatch.Patch {
 
 	return result
 }
+
+func updateShareProcessNamespace(shareProcessNamespace bool) jsonpatch.Patch {
+	return []jsonpatch.Operation{
+		internal.AddOp("/spec/shareProcessNamespace", shareProcessNamespace),
+	}
+}

agent-inject/handler.go

@@ -57,6 +57,7 @@ type Handler struct {
 	UserID                     string
 	GroupID                    string
 	SameID                     bool
+	ShareProcessNamespace      bool
 	SetSecurityContext         bool
 	DefaultTemplate            string
 	ResourceRequestCPU         string
@@ -195,6 +196,7 @@ func (h *Handler) Mutate(req *admissionv1.AdmissionRequest) *admissionv1.Admissi
 		GroupID:                    h.GroupID,
 		SameID:                     h.SameID,
 		SetSecurityContext:         h.SetSecurityContext,
+		ShareProcessNamespace:      h.ShareProcessNamespace,
 		DefaultTemplate:            h.DefaultTemplate,
 		ResourceRequestCPU:         h.ResourceRequestCPU,
 		ResourceRequestMem:         h.ResourceRequestMem,

agent-inject/handler_test.go

@@ -157,6 +157,7 @@ func TestHandlerHandle(t *testing.T) {
 				internal.AddOp("/spec/containers/0/volumeMounts/-", nil),
 				internal.AddOp("/spec/initContainers/-", nil),
 				internal.AddOp("/spec/initContainers/0/volumeMounts/-", nil),
+				internal.AddOp("/spec/shareProcessNamespace", nil),
 				internal.AddOp("/spec/containers/-", nil),
 				internal.AddOp("/metadata/annotations/"+internal.EscapeJSONPointer(agent.AnnotationAgentStatus), nil),
 			},
@@ -188,6 +189,7 @@ func TestHandlerHandle(t *testing.T) {
 				internal.AddOp("/spec/initContainers", nil),
 				internal.AddOp("/spec/initContainers/-", nil),
 				internal.AddOp("/spec/initContainers/1/volumeMounts/-", nil),
+				internal.AddOp("/spec/shareProcessNamespace", nil),
 				internal.AddOp("/spec/containers/-", nil),
 				internal.AddOp("/metadata/annotations/"+internal.EscapeJSONPointer(agent.AnnotationAgentStatus), nil),
 			},
@@ -217,11 +219,11 @@ func TestHandlerHandle(t *testing.T) {
 				internal.AddOp("/spec/containers/0/volumeMounts/-", nil),
 				internal.AddOp("/spec/initContainers/-", nil),
 				internal.AddOp("/spec/initContainers/0/volumeMounts/-", nil),
+				internal.AddOp("/spec/shareProcessNamespace", nil),
 				internal.AddOp("/spec/containers/-", nil),
 				internal.AddOp("/metadata/annotations/"+internal.EscapeJSONPointer(agent.AnnotationAgentStatus), nil),
 			},
 		},
-
 		{
 			"tls pod injection",
 			basicHandler(),
@@ -248,6 +250,7 @@ func TestHandlerHandle(t *testing.T) {
 				internal.AddOp("/spec/containers/0/volumeMounts/-", nil),
 				internal.AddOp("/spec/initContainers/-", nil),
 				internal.AddOp("/spec/initContainers/0/volumeMounts/-", nil),
+				internal.AddOp("/spec/shareProcessNamespace", nil),
 				internal.AddOp("/spec/containers/-", nil),
 				internal.AddOp("/metadata/annotations/"+internal.EscapeJSONPointer(agent.AnnotationAgentStatus), nil),
 			},
@@ -278,6 +281,7 @@ func TestHandlerHandle(t *testing.T) {
 				internal.AddOp("/spec/containers/0/volumeMounts/-", nil),
 				internal.AddOp("/spec/initContainers/-", nil),
 				internal.AddOp("/spec/initContainers/0/volumeMounts/-", nil),
+				internal.AddOp("/spec/shareProcessNamespace", nil),
 				internal.AddOp("/spec/containers/-", nil),
 				internal.AddOp("/metadata/annotations/"+internal.EscapeJSONPointer(agent.AnnotationAgentStatus), nil),
 			},
@@ -336,6 +340,7 @@ func TestHandlerHandle(t *testing.T) {
 				internal.AddOp("/spec/containers/0/volumeMounts/-", nil),
 				internal.AddOp("/spec/initContainers/-", nil),
 				internal.AddOp("/spec/initContainers/0/volumeMounts/-", nil),
+				internal.AddOp("/spec/shareProcessNamespace", nil),
 				internal.AddOp("/metadata/annotations/"+internal.EscapeJSONPointer(agent.AnnotationAgentStatus), nil),
 			},
 		},
@@ -364,6 +369,7 @@ func TestHandlerHandle(t *testing.T) {
 				internal.AddOp("/spec/containers/0/volumeMounts/-", nil),
 				internal.AddOp("/spec/initContainers/-", nil),
 				internal.AddOp("/spec/initContainers/0/volumeMounts/-", nil),
+				internal.AddOp("/spec/shareProcessNamespace", nil),
 				internal.AddOp("/spec/containers/-", nil),
 				internal.AddOp("/metadata/annotations/"+internal.EscapeJSONPointer(agent.AnnotationAgentStatus), nil),
 			},