feat: make group ID configurable

This defines the group ID and adds the option to set it manually

Signed-off-by: Nico Feulner <[email protected]>

fix: runAsGroup instead of runAsUser

Signed-off-by: Nico Feulner <[email protected]>

fix: formatting in test files

Signed-off-by: Nico Feulner <[email protected]>

fix: re-generate helm docs

Signed-off-by: Nico Feulner <[email protected]>

fix: missing GID injection

charts/linkerd-control-plane/README.md

@@ -148,6 +148,7 @@ Kubernetes: `>=1.22.0-0`
 | controlPlaneTracingNamespace | string | `"linkerd-jaeger"` | namespace to send control plane traces to |
 | controller.podDisruptionBudget | object | `{"maxUnavailable":1}` | sets pod disruption budget parameter for all deployments |
 | controller.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number of pods that can be unavailable during disruption |
+| controllerGID | int | `2103` | Group ID for the control plane components |
 | controllerImage | string | `"cr.l5d.io/linkerd/controller"` | Docker image for the destination and identity components |
 | controllerImageVersion | string | `""` | Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage. |
 | controllerLogFormat | string | `"plain"` | Log format for the control plane components |
@@ -237,6 +238,7 @@ Kubernetes: `>=1.22.0-0`
 | proxy.disableInboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the inbound side of the proxy by setting it to a very high value |
 | proxy.disableOutboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the outbound side of the proxy by setting it to a very high value |
 | proxy.enableExternalProfiles | bool | `false` | Enable service profiles for non-Kubernetes services |
+| proxy.gid | int | `2102` | Group id under which the proxy runs |
 | proxy.image.name | string | `"cr.l5d.io/linkerd/proxy"` | Docker image for the proxy |
 | proxy.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy container image |
 | proxy.image.version | string | linkerdVersion | Tag for the proxy container image |
@@ -284,6 +286,7 @@ Kubernetes: `>=1.22.0-0`
 | proxyInit.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the proxy-init container requests |
 | proxyInit.resources.memory.limit | string | `"20Mi"` | Maximum amount of memory that the proxy-init container can use |
 | proxyInit.resources.memory.request | string | `"20Mi"` | Amount of memory that the proxy-init container requests |
+| proxyInit.runAsGroup | int | `65534` | This value is used only if runAsRoot is false; otherwise runAsGroup will be 0 |
 | proxyInit.runAsRoot | bool | `false` | Allow overriding the runAsNonRoot behaviour (<https://github.com/linkerd/linkerd2/issues/7308>) |
 | proxyInit.runAsUser | int | `65534` | This value is used only if runAsRoot is false; otherwise runAsUser will be 0 |
 | proxyInit.skipSubnets | string | `""` | Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy |

charts/linkerd-control-plane/templates/destination.yaml

@@ -249,6 +249,7 @@ spec:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: {{.Values.controllerUID}}
+          runAsGroup: {{.Values.controllerGID}}
           allowPrivilegeEscalation: false
           seccompProfile:
             type: RuntimeDefault
@@ -294,6 +295,7 @@ spec:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: {{.Values.controllerUID}}
+          runAsGroup: {{.Values.controllerGID}}
           allowPrivilegeEscalation: false
           seccompProfile:
             type: RuntimeDefault
@@ -354,6 +356,7 @@ spec:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: {{.Values.controllerUID}}
+          runAsGroup: {{.Values.controllerGID}}
           allowPrivilegeEscalation: false
           seccompProfile:
             type: RuntimeDefault

charts/linkerd-control-plane/templates/heartbeat.yaml

@@ -85,6 +85,7 @@ spec:
               readOnlyRootFilesystem: true
               runAsNonRoot: true
               runAsUser: {{.Values.controllerUID}}
+              runAsGroup: {{.Values.controllerGID}}
               allowPrivilegeEscalation: false
               seccompProfile:
                 type: RuntimeDefault

charts/linkerd-control-plane/templates/identity.yaml

@@ -199,6 +199,7 @@ spec:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: {{.Values.controllerUID}}
+          runAsGroup: {{.Values.controllerGID}}
           allowPrivilegeEscalation: false
           seccompProfile:
             type: RuntimeDefault

charts/linkerd-control-plane/templates/proxy-injector.yaml

@@ -116,6 +116,7 @@ spec:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: {{.Values.controllerUID}}
+          runAsGroup: {{.Values.controllerGID}}
           allowPrivilegeEscalation: false
           seccompProfile:
             type: RuntimeDefault

charts/linkerd-control-plane/templates/psp.yaml

@@ -37,6 +37,15 @@ spec:
     {{- else }}
     rule: RunAsAny
     {{- end }}
+  runAsGroup:
+    {{- if .Values.cniEnabled }}
+    rule: MustRunAs
+    ranges:
+    - min: 1000
+      max: 999999
+    {{- else }}
+    rule: RunAsAny
+    {{- end }}
   supplementalGroups:
     rule: MustRunAs
     ranges:

charts/linkerd-control-plane/values.yaml

@@ -182,6 +182,8 @@ proxy:
       request: ""
   # -- User id under which the proxy runs
   uid: 2102
+  # -- Group id under which the proxy runs
+  gid: 2102
   # -- If set the injected proxy sidecars in the data plane will stay alive for
   # at least the given period before receiving the SIGTERM signal from
   # Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`.
@@ -297,6 +299,8 @@ proxyInit:
   runAsRoot: false
   # -- This value is used only if runAsRoot is false; otherwise runAsUser will be 0
   runAsUser: 65534
+  # -- This value is used only if runAsRoot is false; otherwise runAsGroup will be 0
+  runAsGroup: 65534
   xtMountPath:
     mountPath: /run
     name: linkerd-proxy-init-xtables-lock
@@ -344,6 +348,8 @@ controllerImageVersion: ""
 controllerReplicas: 1
 # -- User ID for the control plane components
 controllerUID: 2103
+# -- Group ID for the control plane components
+controllerGID: 2103
 
 # destination configuration
 # set resources for the sp-validator and its linkerd proxy respectively

charts/linkerd2-cni/README.md

@@ -44,6 +44,7 @@ Kubernetes: `>=1.22.0-0`
 | privileged | bool | `false` | Run the install-cni container in privileged mode |
 | proxyAdminPort | int | `4191` | Admin port for the proxy container |
 | proxyControlPort | int | `4190` | Control port for the proxy container |
+| proxyGID | int | `2102` | Group id under which the proxy shall be ran |
 | proxyUID | int | `2102` | User id under which the proxy shall be ran |
 | repairController.enableSecurityContext | bool | `true` | Include a securityContext in the repair-controller container |
 | repairController.enabled | bool | `false` | Enables the repair-controller container |

charts/linkerd2-cni/templates/cni-plugin.yaml

@@ -59,6 +59,8 @@ spec:
     rule: RunAsAny
   runAsUser:
     rule: RunAsAny
+  runAsGroup:
+    rule: RunAsAny
   seLinux:
     rule: RunAsAny
   supplementalGroups:
@@ -168,6 +170,7 @@ data:
         "incoming-proxy-port": {{.Values.inboundProxyPort}},
         "outgoing-proxy-port": {{.Values.outboundProxyPort}},
         "proxy-uid": {{.Values.proxyUID}},
+        "proxy-gid": {{.Values.proxyGID}},
         "ports-to-redirect": [{{.Values.portsToRedirect}}],
         "inbound-ports-to-ignore": ["{{- .Values.proxyAdminPort }}","{{ .Values.proxyControlPort }}"
         {{- if .Values.ignoreInboundPorts }},{{- include "partials.splitStringList" .Values.ignoreInboundPorts -}}{{- end }}],

charts/linkerd2-cni/values.yaml

@@ -20,6 +20,8 @@ logLevel:         info
 portsToRedirect:  ""
 # -- User id under which the proxy shall be ran
 proxyUID:         2102
+# -- Group id under which the proxy shall be ran
+proxyGID:         2102
 # -- Directory on the host where the CNI plugin binaries reside
 destCNINetDir:    "/etc/cni/net.d"
 # -- Directory on the host where the CNI configuration will be placed

charts/partials/templates/_network-validator.tpl

@@ -10,6 +10,7 @@ securityContext:
     drop:
     - ALL
   readOnlyRootFilesystem: true
+  runAsGroup: 65534
   runAsNonRoot: true
   runAsUser: 65534
   seccompProfile:

charts/partials/templates/_proxy-init.tpl

@@ -17,6 +17,8 @@ args:
 - {{.Values.proxy.ports.outbound | quote}}
 - --proxy-uid
 - {{.Values.proxy.uid | quote}}
+- --proxy-gid
+- {{.Values.proxy.gid | quote}}
 - --inbound-ports-to-ignore
 - "{{.Values.proxy.ports.control}},{{.Values.proxy.ports.admin}}{{ternary (printf ",%s" (.Values.proxyInit.ignoreInboundPorts | toString)) "" (not (empty .Values.proxyInit.ignoreInboundPorts)) }}"
 {{- if .Values.proxyInit.ignoreOutboundPorts }}
@@ -67,11 +69,13 @@ securityContext:
   privileged: false
   {{- end }}
   {{- if .Values.proxyInit.runAsRoot }}
+  runAsGroup: 0
   runAsNonRoot: false
   runAsUser: 0
   {{- else }}
   runAsNonRoot: true
   runAsUser: {{ .Values.proxyInit.runAsUser | int | eq 0 | ternary 65534 .Values.proxyInit.runAsUser }}
+  runAsGroup: {{ .Values.proxyInit.runAsGroup | int | eq 0 | ternary 65534 .Values.proxyInit.runAsGroup }}
   {{- end }}
   readOnlyRootFilesystem: true
   seccompProfile:

charts/partials/templates/_proxy.tpl

@@ -206,6 +206,7 @@ securityContext:
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: {{.Values.proxy.uid}}
+  runAsGroup: {{.Values.proxy.gid}}
   seccompProfile:
     type: RuntimeDefault
 terminationMessagePolicy: FallbackToLogsOnError

cli/cmd/doc.go

@@ -208,6 +208,10 @@ func generateAnnotationsDocs() []annotationDoc {
 			Name:        k8s.ProxyUIDAnnotation,
 			Description: "Run the proxy under this user ID",
 		},
+		{
+			Name:        k8s.ProxyGIDAnnotation,
+			Description: "Run the proxy under this group ID",
+		},
 		{
 			Name:        k8s.ProxyLogLevelAnnotation,
 			Description: "Log level for the proxy",

cli/cmd/inject.go

@@ -435,6 +435,10 @@ func getOverrideAnnotations(values *linkerd2.Values, base *linkerd2.Values) map[
 		overrideAnnotations[k8s.ProxyUIDAnnotation] = strconv.FormatInt(proxy.UID, 10)
 	}
 
+	if proxy.GID != baseProxy.GID {
+		overrideAnnotations[k8s.ProxyGIDAnnotation] = strconv.FormatInt(proxy.GID, 10)
+	}
+
 	if proxy.LogLevel != baseProxy.LogLevel {
 		overrideAnnotations[k8s.ProxyLogLevelAnnotation] = proxy.LogLevel
 	}

cli/cmd/inject_test.go

@@ -680,6 +680,7 @@ func TestProxyConfigurationAnnotations(t *testing.T) {
 	values.Proxy.Ports.Inbound = 4144
 	values.Proxy.Ports.Outbound = 4141
 	values.Proxy.UID = 999
+	values.Proxy.GID = 999
 	values.Proxy.LogLevel = "debug"
 	values.Proxy.LogFormat = "cool"
 	values.Proxy.EnableExternalProfiles = true
@@ -701,6 +702,7 @@ func TestProxyConfigurationAnnotations(t *testing.T) {
 		k8s.ProxyInboundPortAnnotation:         "4144",
 		k8s.ProxyOutboundPortAnnotation:        "4141",
 		k8s.ProxyUIDAnnotation:                 "999",
+		k8s.ProxyGIDAnnotation:                 "999",
 		k8s.ProxyLogLevelAnnotation:            "debug",
 		k8s.ProxyLogFormatAnnotation:           "cool",
 

cli/cmd/install-cni-plugin.go

@@ -42,6 +42,7 @@ type cniPluginOptions struct {
 	ignoreOutboundPorts []string
 	portsToRedirect     []uint
 	proxyUID            int64
+	proxyGID            int64
 	image               cniPluginImage
 	logLevel            string
 	destCNINetDir       string
@@ -120,6 +121,7 @@ The installation can be configured by using the --set, --values, --set-string an
 	cmd.PersistentFlags().StringVar(&options.dockerRegistry, "registry", options.dockerRegistry,
 		fmt.Sprintf("Docker registry to pull images from ($%s)", flags.EnvOverrideDockerRegistry))
 	cmd.PersistentFlags().Int64Var(&options.proxyUID, "proxy-uid", options.proxyUID, "Run the proxy under this user ID")
+	cmd.PersistentFlags().Int64Var(&options.proxyGID, "proxy-gid", options.proxyGID, "Run the proxy under this group ID")
 	cmd.PersistentFlags().UintVar(&options.inboundPort, "inbound-port", options.inboundPort, "Proxy port to use for inbound traffic")
 	cmd.PersistentFlags().UintVar(&options.outboundPort, "outbound-port", options.outboundPort, "Proxy port to use for outbound traffic")
 	cmd.PersistentFlags().UintVar(&options.proxyControlPort, "control-port", options.proxyControlPort, "Proxy port to use for control")
@@ -165,6 +167,7 @@ func newCNIInstallOptionsWithDefaults() (*cniPluginOptions, error) {
 		ignoreInboundPorts:  nil,
 		ignoreOutboundPorts: nil,
 		proxyUID:            defaults.ProxyUID,
+		proxyGID:            defaults.ProxyGID,
 		image:               cniPluginImage,
 		logLevel:            "info",
 		destCNINetDir:       defaults.DestCNINetDir,
@@ -203,6 +206,7 @@ func (options *cniPluginOptions) buildValues() (*cnicharts.Values, error) {
 	installValues.IgnoreOutboundPorts = strings.Join(options.ignoreOutboundPorts, ",")
 	installValues.PortsToRedirect = strings.Join(portsToRedirect, ",")
 	installValues.ProxyUID = options.proxyUID
+	installValues.ProxyGID = options.proxyGID
 	installValues.DestCNINetDir = options.destCNINetDir
 	installValues.DestCNIBinDir = options.destCNIBinDir
 	installValues.UseWaitFlag = options.useWaitFlag

cli/cmd/install-cni-plugin_test.go

@@ -29,6 +29,7 @@ func TestRenderCNIPlugin(t *testing.T) {
 		ignoreInboundPorts:  make([]string, 0),
 		ignoreOutboundPorts: make([]string, 0),
 		proxyUID:            12102,
+		proxyGID:            12102,
 		image:               image,
 		logLevel:            "debug",
 		destCNINetDir:       "/etc/kubernetes/cni/net.d",
@@ -46,6 +47,7 @@ func TestRenderCNIPlugin(t *testing.T) {
 		ignoreInboundPorts:  make([]string, 0),
 		ignoreOutboundPorts: make([]string, 0),
 		proxyUID:            12102,
+		proxyGID:            12102,
 		image:               image,
 		logLevel:            "debug",
 		destCNINetDir:       "/etc/kubernetes/cni/net.d",
@@ -63,6 +65,7 @@ func TestRenderCNIPlugin(t *testing.T) {
 		ignoreInboundPorts:  make([]string, 0),
 		ignoreOutboundPorts: make([]string, 0),
 		proxyUID:            12102,
+		proxyGID:            12102,
 		image:               image,
 		logLevel:            "debug",
 		destCNINetDir:       "/etc/kubernetes/cni/net.d",

cli/cmd/install_cni_helm_test.go

@@ -18,7 +18,7 @@ func TestRenderCniHelm(t *testing.T) {
 	// override most defaults with pinned values.
 	// use the Helm lib to render the templates.
 	// the golden file is generated using the following `helm template` command:
-	// bin/helm template --set namespace="linkerd-test" --set inboundProxyPort=1234 --set outboundProxyPort=5678 --set cniPluginImage="cr.l5d.io/linkerd/cni-plugin-test" --set cniPluginVersion="test-version" --set logLevel="debug" --set proxyUID=1111 --set destCNINetDir="/etc/cni/net.d-test" --set destCNIBinDir="/opt/cni/bin-test" --set useWaitFlag=true --set cliVersion=test-version charts/linkerd2-cni
+	// bin/helm template --set namespace="linkerd-test" --set inboundProxyPort=1234 --set outboundProxyPort=5678 --set cniPluginImage="cr.l5d.io/linkerd/cni-plugin-test" --set cniPluginVersion="test-version" --set logLevel="debug" --set proxyUID=1111 --set proxyGID=1111 --set destCNINetDir="/etc/cni/net.d-test" --set destCNIBinDir="/opt/cni/bin-test" --set useWaitFlag=true --set cliVersion=test-version charts/linkerd2-cni
 
 	t.Run("Cni Install with defaults", func(t *testing.T) {
 		chartCni := chartCniPlugin(t)
@@ -38,6 +38,7 @@ func TestRenderCniHelm(t *testing.T) {
 				"version": "v1.4.0"
 			},
   			"proxyUID": 1111,
+  			"proxyGID": 1111,
   			"destCNINetDir": "/etc/cni/net.d-test",
   			"destCNIBinDir": "/opt/cni/bin-test",
   			"useWaitFlag": true,

cli/cmd/install_test.go

@@ -34,6 +34,7 @@ func TestRender(t *testing.T) {
 		ControllerImage:         "ControllerImage",
 		LinkerdVersion:          "LinkerdVersion",
 		ControllerUID:           2103,
+		ControllerGID:           2103,
 		EnableH2Upgrade:         true,
 		WebhookFailurePolicy:    "WebhookFailurePolicy",
 		HeartbeatSchedule:       "1 2 3 4 5",
@@ -97,6 +98,7 @@ func TestRender(t *testing.T) {
 				Outbound: 4140,
 			},
 			UID:                  2102,
+			GID:                  2102,
 			OpaquePorts:          "25,443,587,3306,5432,11211",
 			Await:                true,
 			DefaultInboundPolicy: "default-allow-policy",
@@ -131,8 +133,9 @@ func TestRender(t *testing.T) {
 				MountPath: "/run",
 				Name:      "linkerd-proxy-init-xtables-lock",
 			},
-			RunAsRoot: false,
-			RunAsUser: 65534,
+			RunAsRoot:  false,
+			RunAsUser:  65534,
+			RunAsGroup: 65534,
 		},
 		NetworkValidator: &charts.NetworkValidator{
 			LogLevel:    "debug",

cli/cmd/options.go

@@ -81,6 +81,12 @@ func makeInstallUpgradeFlags(defaults *l5dcharts.Values) ([]flag.Flag, *pflag.Fl
 				return nil
 			}),
 
+		flag.NewInt64Flag(installUpgradeFlags, "controller-gid", defaults.ControllerGID,
+			"Run the control plane components under this group ID", func(values *l5dcharts.Values, value int64) error {
+				values.ControllerGID = value
+				return nil
+			}),
+
 		flag.NewBoolFlag(installUpgradeFlags, "disable-h2-upgrade", !defaults.EnableH2Upgrade,
 			"Prevents the controller from instructing proxies to perform transparent HTTP/2 upgrading (default false)",
 			func(values *l5dcharts.Values, value bool) error {
@@ -313,6 +319,12 @@ func makeProxyFlags(defaults *l5dcharts.Values) ([]flag.Flag, *pflag.FlagSet) {
 				return nil
 			}),
 
+		flag.NewInt64Flag(proxyFlags, "proxy-gid", defaults.Proxy.GID, "Run the proxy under this group ID",
+			func(values *l5dcharts.Values, value int64) error {
+				values.Proxy.GID = value
+				return nil
+			}),
+
 		flag.NewStringFlag(proxyFlags, "proxy-log-level", defaults.Proxy.LogLevel, "Log level for the proxy",
 			func(values *l5dcharts.Values, value string) error {
 				values.Proxy.LogLevel = value

cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml

@@ -154,6 +154,7 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
+          runAsGroup: 2102
           runAsNonRoot: true
           runAsUser: 2102
           seccompProfile:
@@ -177,6 +178,8 @@ spec:
         - "4140"
         - --proxy-uid
         - "2102"
+        - --proxy-gid
+        - "2102"
         - --inbound-ports-to-ignore
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
@@ -199,6 +202,7 @@ spec:
             - NET_RAW
           privileged: false
           readOnlyRootFilesystem: true
+          runAsGroup: 65534
           runAsNonRoot: true
           runAsUser: 65534
           seccompProfile: