Skip to content

Commit

Permalink
Make privilege escalation configurable in Helm (#7521)
Browse files Browse the repository at this point in the history 
Disabling privilege escalation is a security best practice. But
currently this is not supported when installing from Helm.

A parameter called `privilegeEscalationEnabled` is added to the Helm
chart. The default value is `true`to avoid breaking changes to the Helm
chart.

Fixes #7282

Signed-off-by: Kim Christensen <[email protected]>
  • Loading branch information
@kichristensen
kichristensen authored Jan 3, 2022
1 parent c2eac91 commit 75903af
Show file tree
Hide file tree
Showing 21 changed files with 107 additions and 0 deletions.
3 changes: 3 additions & 0 deletions charts/linkerd-control-plane/templates/destination.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,7 @@ spec:
{{- end }}
securityContext:
runAsUser: {{.Values.controllerUID}}
allowPrivilegeEscalation: false
- args:
- sp-validator
- -log-level={{.Values.controllerLogLevel}}
Expand Down Expand Up @@ -245,6 +246,7 @@ spec:
{{- end }}
securityContext:
runAsUser: {{.Values.controllerUID}}
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /var/run/linkerd/tls
name: sp-tls
Expand Down Expand Up @@ -289,6 +291,7 @@ spec:
{{- end }}
securityContext:
runAsUser: {{.Values.controllerUID}}
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /var/run/linkerd/tls
name: policy-tls
Expand Down
1 change: 1 addition & 0 deletions charts/linkerd-control-plane/templates/heartbeat.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,4 +63,5 @@ spec:
{{- end }}
securityContext:
runAsUser: {{.Values.controllerUID}}
allowPrivilegeEscalation: false
{{- end }}
1 change: 1 addition & 0 deletions charts/linkerd-control-plane/templates/identity.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,7 @@ spec:
{{- end }}
securityContext:
runAsUser: {{.Values.controllerUID}}
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /var/run/linkerd/identity/issuer
name: identity-issuer
Expand Down
1 change: 1 addition & 0 deletions charts/linkerd-control-plane/templates/proxy-injector.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@ spec:
{{- end }}
securityContext:
runAsUser: {{.Values.controllerUID}}
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /var/run/linkerd/config
name: config
Expand Down
6 changes: 6 additions & 0 deletions cli/cmd/testdata/install_controlplane_tracing_output.golden
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions cli/cmd/testdata/install_custom_domain.golden
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions cli/cmd/testdata/install_custom_registry.golden
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions cli/cmd/testdata/install_default.golden
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions cli/cmd/testdata/install_default_override_dst_get_nets.golden
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions cli/cmd/testdata/install_default_token.golden
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions cli/cmd/testdata/install_ha_output.golden
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 75903af

Please sign in to comment.