From 1d5d753cf10a6aa80114d2f2f92e02adc0d830b7 Mon Sep 17 00:00:00 2001 From: dariuszSki Date: Mon, 18 Nov 2024 16:30:21 -0500 Subject: [PATCH 1/2] added more printouts to test cases for regression --- .github/workflows/pr.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 3f1f71a..10bf605 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -617,6 +617,8 @@ jobs: do curl -s -X GET http://productpage.ziti:9080/productpage?u=test | grep reviews >> testcase_curl_output.log done + cat testcase_curl_output.log + cat testcase_pods.log test/verify_test_results.py kubectl logs `kubectl get pods -n ziti --context $AWS_CLUSTER -o name | grep ziti-admission-wh` -n ziti --context $AWS_CLUSTER kubectl logs `kubectl get pods -n ziti --context $GKE_CLUSTER -o name | grep ziti-admission-wh` -n ziti --context $GKE_CLUSTER @@ -647,6 +649,8 @@ jobs: do curl -s -X GET http://productpage.ziti:9080/productpage?u=test | grep reviews >> testcase_curl_output.log done + cat testcase_curl_output.log + cat testcase_pods.log test/verify_test_results.py kubectl logs `kubectl get pods -n ziti --context $AWS_CLUSTER -o name | grep ziti-admission-wh` -n ziti --context $AWS_CLUSTER kubectl logs `kubectl get pods -n ziti --context $GKE_CLUSTER -o name | grep ziti-admission-wh` -n ziti --context $GKE_CLUSTER From e6ecbb617a6936e7a45006ce712167b2d0af6a56 Mon Sep 17 00:00:00 2001 From: dariuszSki Date: Mon, 18 Nov 2024 18:02:46 -0500 Subject: [PATCH 2/2] reverted back to NET_BIND_SERVICE in the pod security context in all places --- CHANGELOG.md | 4 ++-- ziti-agent/cmd/webhook/pods.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1da3bb0..44f6de9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,8 +9,8 @@ All notable changes to this project will be documented in this file. The format ```shell Capabilities: &corev1.Capabilities{ - Add: []corev1.Capability{"NET_ADMIN"}, - Drop: []corev1.Capability{"ALL"}, + Add: []corev1.Capability{"NET_ADMIN", "NET_BIND_SERVICE"}, + Drop: []corev1.Capability{"ALL"}, }, RunAsUser: &rootUser, (deafault = true) Privileged: &isPrivileged, (default = false) diff --git a/ziti-agent/cmd/webhook/pods.go b/ziti-agent/cmd/webhook/pods.go index b76f3b3..978e6a3 100644 --- a/ziti-agent/cmd/webhook/pods.go +++ b/ziti-agent/cmd/webhook/pods.go @@ -151,7 +151,7 @@ func zitiTunnel(ar admissionv1.AdmissionReview) *admissionv1.AdmissionResponse { sidecarSecurityContext = &corev1.SecurityContext{ Capabilities: &corev1.Capabilities{ - Add: []corev1.Capability{"NET_ADMIN"}, + Add: []corev1.Capability{"NET_ADMIN", "NET_BIND_SERVICE"}, Drop: []corev1.Capability{"ALL"}, }, RunAsUser: &rootUser, @@ -161,7 +161,7 @@ func zitiTunnel(ar admissionv1.AdmissionReview) *admissionv1.AdmissionResponse { if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.RunAsUser != nil { sidecarSecurityContext = &corev1.SecurityContext{ Capabilities: &corev1.Capabilities{ - Add: []corev1.Capability{"NET_ADMIN"}, + Add: []corev1.Capability{"NET_ADMIN", "NET_BIND_SERVICE"}, Drop: []corev1.Capability{"ALL"}, }, RunAsUser: &rootUser,