Restrict the amount of work being done in a privileged container in the reversed vpn client. #6352
Conversation
gardener-prow
bot
added
kind/cleanup
|
/cc @DockToFuture @marwinski @ialidzhikov |
gardener-prow
bot
added
the
do-not-merge/hold
There was a problem hiding this comment.
@marwinski can you also review this PR as it is related to #6346?
ScheererJ
force-pushed
the
reversed-vpn/restricted-privilege-for-client
branch
from
476950a
to
fa092d7
Compare
ScheererJ
force-pushed
the
reversed-vpn/restricted-privilege-for-client
branch
from
fa092d7
to
284a715
Compare
|
/lgtm |
|
@ScheererJ can you rebase after #6349 is merged? |
@ialidzhikov I sure can even though I do not quite understand why it would be required (as the changes are in unrelated files). |
How I am supposed to test locally this PR as it relies on new env vars like |
|
@ialidzhikov The end-to-end test will likely fail as the init container will not stop with the old image version. You can test it locally be referencing the new vpn2 release instead of the existing one. |
ScheererJ
force-pushed
the
reversed-vpn/restricted-privilege-for-client
branch
from
284a715
to
a5c46a6
Compare
|
@ialidzhikov Rebased as requested. |
ScheererJ
force-pushed
the
reversed-vpn/restricted-privilege-for-client
branch
from
a5c46a6
to
89a6891
Compare
|
/retest |
There was a problem hiding this comment.
I wasn't able to test this from from the /dev/net/tun point of view this will work. The way the init container is implemented looks a bit like a hack due to the environment variable control. Maybe a separate script would have been more appropriate but this is minor.
|
@marwinski: adding LGTM is restricted to approvers and reviewers in OWNERS files. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest |
ScheererJ
force-pushed
the
reversed-vpn/restricted-privilege-for-client
branch
from
89a6891
to
be7d7ce
Compare
…he reversed vpn client. It is not necessary for the vpn-seed-server to run as privileged container. The tun device required for vpn operation can be mounted into the container namespace. The remaining work requiring privileged work can be moved into an init container. In case the container should run as non-root user in the future, it might help to create a separate tun device in a privileged init container as described in https://community.openvpn.net/openvpn/wiki/UnprivilegedUser#TUNTAPDevice .
ScheererJ
force-pushed
the
reversed-vpn/restricted-privilege-for-client
branch
from
be7d7ce
to
6d083de
Compare
gardener-prow
bot
removed
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: DockToFuture, ialidzhikov, marwinski The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
gardener-prow
bot
added
lgtm
How to categorize this PR?
/area networking
/kind cleanup
What this PR does / why we need it:
Restrict the amount of work being done in a privileged container in the reversed vpn client.
It is not necessary for the vpn-seed-server to run as privileged container. The tun
device required for vpn operation can be mounted into the container namespace. The
remaining work requiring privileged work can be moved into an init container.
In case the container should run as non-root user in the future, it might help to
create a separate tun device in a privileged init container as described in
https://community.openvpn.net/openvpn/wiki/UnprivilegedUser#TUNTAPDevice .
Which issue(s) this PR fixes:
Partially addresses gardener-attic/vpn#41.
Special notes for your reviewer:
Release note: