Merge branch 'main' into qrkourier-patch-1

netfoundry · Nov 19, 2024 · ad78ab6 · ad78ab6
2 parents aab2478 + ae748de
commit ad78ab6
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -617,6 +617,8 @@ jobs:
           do
             curl -s -X GET http://productpage.ziti:9080/productpage?u=test | grep reviews >> testcase_curl_output.log
           done
+          cat testcase_curl_output.log
+          cat testcase_pods.log
           test/verify_test_results.py
           kubectl logs `kubectl get pods -n ziti --context  $AWS_CLUSTER -o name | grep ziti-admission-wh` -n ziti --context  $AWS_CLUSTER
           kubectl logs `kubectl get pods -n ziti --context  $GKE_CLUSTER -o name | grep ziti-admission-wh` -n ziti --context  $GKE_CLUSTER
@@ -647,6 +649,8 @@ jobs:
           do
             curl -s -X GET http://productpage.ziti:9080/productpage?u=test | grep reviews >> testcase_curl_output.log
           done
+          cat testcase_curl_output.log
+          cat testcase_pods.log
           test/verify_test_results.py
           kubectl logs `kubectl get pods -n ziti --context  $AWS_CLUSTER -o name | grep ziti-admission-wh` -n ziti --context  $AWS_CLUSTER
           kubectl logs `kubectl get pods -n ziti --context  $GKE_CLUSTER -o name | grep ziti-admission-wh` -n ziti --context  $GKE_CLUSTER

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,8 +9,8 @@ All notable changes to this project will be documented in this file. The format
 
   ```shell
   Capabilities: &corev1.Capabilities{
-	Add:  []corev1.Capability{"NET_ADMIN"},
-	Drop: []corev1.Capability{"ALL"},
+    Add:  []corev1.Capability{"NET_ADMIN", "NET_BIND_SERVICE"},
+    Drop: []corev1.Capability{"ALL"},
   },
   RunAsUser:  &rootUser, (deafault = true)
   Privileged: &isPrivileged, (default = false)

diff --git a/ziti-agent/cmd/webhook/pods.go b/ziti-agent/cmd/webhook/pods.go
@@ -151,7 +151,7 @@ func zitiTunnel(ar admissionv1.AdmissionReview) *admissionv1.AdmissionResponse {
 
 		sidecarSecurityContext = &corev1.SecurityContext{
 			Capabilities: &corev1.Capabilities{
-				Add:  []corev1.Capability{"NET_ADMIN"},
+				Add:  []corev1.Capability{"NET_ADMIN", "NET_BIND_SERVICE"},
 				Drop: []corev1.Capability{"ALL"},
 			},
 			RunAsUser:  &rootUser,
@@ -161,7 +161,7 @@ func zitiTunnel(ar admissionv1.AdmissionReview) *admissionv1.AdmissionResponse {
 		if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.RunAsUser != nil {
 			sidecarSecurityContext = &corev1.SecurityContext{
 				Capabilities: &corev1.Capabilities{
-					Add:  []corev1.Capability{"NET_ADMIN"},
+					Add:  []corev1.Capability{"NET_ADMIN", "NET_BIND_SERVICE"},
 					Drop: []corev1.Capability{"ALL"},
 				},
 				RunAsUser:  &rootUser,