Set ReadOnlyRootFilesystem and AllowPrivilegeEscalation to false (#3498…

…) (#3513)

Tighten up privileges for consul-dataplane and connect-init containers when CNI is enabled.

Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

control-plane/connect-inject/webhook/consul_dataplane_sidecar.go

@@ -216,10 +216,11 @@ func (w *MeshWebhook) consulDataplaneSidecar(namespace corev1.Namespace, pod cor
 			}
 		}
 		container.SecurityContext = &corev1.SecurityContext{
-			RunAsUser:              pointer.Int64(sidecarUserAndGroupID),
-			RunAsGroup:             pointer.Int64(sidecarUserAndGroupID),
-			RunAsNonRoot:           pointer.Bool(true),
-			ReadOnlyRootFilesystem: pointer.Bool(true),
+			RunAsUser:                pointer.Int64(sidecarUserAndGroupID),
+			RunAsGroup:               pointer.Int64(sidecarUserAndGroupID),
+			RunAsNonRoot:             pointer.Bool(true),
+			AllowPrivilegeEscalation: pointer.Bool(false),
+			ReadOnlyRootFilesystem:   pointer.Bool(true),
 		}
 	}
 

control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go

@@ -798,20 +798,22 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) {
 			tproxyEnabled:    false,
 			openShiftEnabled: false,
 			expSecurityContext: &corev1.SecurityContext{
-				RunAsUser:              pointer.Int64(sidecarUserAndGroupID),
-				RunAsGroup:             pointer.Int64(sidecarUserAndGroupID),
-				RunAsNonRoot:           pointer.Bool(true),
-				ReadOnlyRootFilesystem: pointer.Bool(true),
+				RunAsUser:                pointer.Int64(sidecarUserAndGroupID),
+				RunAsGroup:               pointer.Int64(sidecarUserAndGroupID),
+				RunAsNonRoot:             pointer.Bool(true),
+				ReadOnlyRootFilesystem:   pointer.Bool(true),
+				AllowPrivilegeEscalation: pointer.Bool(false),
 			},
 		},
 		"tproxy enabled; openshift disabled": {
 			tproxyEnabled:    true,
 			openShiftEnabled: false,
 			expSecurityContext: &corev1.SecurityContext{
-				RunAsUser:              pointer.Int64(sidecarUserAndGroupID),
-				RunAsGroup:             pointer.Int64(sidecarUserAndGroupID),
-				RunAsNonRoot:           pointer.Bool(true),
-				ReadOnlyRootFilesystem: pointer.Bool(true),
+				RunAsUser:                pointer.Int64(sidecarUserAndGroupID),
+				RunAsGroup:               pointer.Int64(sidecarUserAndGroupID),
+				RunAsNonRoot:             pointer.Bool(true),
+				ReadOnlyRootFilesystem:   pointer.Bool(true),
+				AllowPrivilegeEscalation: pointer.Bool(false),
 			},
 		},
 		"tproxy disabled; openshift enabled": {
@@ -823,10 +825,11 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) {
 			tproxyEnabled:    true,
 			openShiftEnabled: true,
 			expSecurityContext: &corev1.SecurityContext{
-				RunAsUser:              pointer.Int64(sidecarUserAndGroupID),
-				RunAsGroup:             pointer.Int64(sidecarUserAndGroupID),
-				RunAsNonRoot:           pointer.Bool(true),
-				ReadOnlyRootFilesystem: pointer.Bool(true),
+				RunAsUser:                pointer.Int64(sidecarUserAndGroupID),
+				RunAsGroup:               pointer.Int64(sidecarUserAndGroupID),
+				RunAsNonRoot:             pointer.Bool(true),
+				ReadOnlyRootFilesystem:   pointer.Bool(true),
+				AllowPrivilegeEscalation: pointer.Bool(false),
 			},
 		},
 	}

control-plane/connect-inject/webhook/container_init.go

@@ -260,6 +260,8 @@ func (w *MeshWebhook) containerInit(namespace corev1.Namespace, pod corev1.Pod,
 				Capabilities: &corev1.Capabilities{
 					Drop: []corev1.Capability{"ALL"},
 				},
+				ReadOnlyRootFilesystem:   pointer.Bool(true),
+				AllowPrivilegeEscalation: pointer.Bool(false),
 			}
 		}
 	}

control-plane/connect-inject/webhook/container_init_test.go

@@ -299,6 +299,8 @@ func TestHandlerContainerInit_transparentProxy(t *testing.T) {
 					Capabilities: &corev1.Capabilities{
 						Drop: []corev1.Capability{"ALL"},
 					},
+					ReadOnlyRootFilesystem:   pointer.Bool(true),
+					AllowPrivilegeEscalation: pointer.Bool(false),
 				}
 			} else if c.expTproxyEnabled {
 				expectedSecurityContext = &corev1.SecurityContext{