use rootless containers where possible

[kschoche]

Changes proposed in this PR:

• Add a security context to the init copy container and the envoy sidecar and ensure they run as non-root.
• Add RunAsNonRoot: false to the connt-init container so that it can run as root even if the Pod has this disabled. This should address [0.32.0-beta1] container's runAsUser breaks non-root policy consul-helm#918.
• Remove an unused param in the envoySidecar() function.

How I've tested this PR:
unit tests.
I've deployed this into a test cluster with a sample app that has:
(1) no pod security contexts
and
(2) pod security context :

  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
    runAsNonRoot: true

and confirmed that the pod deploys succesfully with the changes to the init container and fails without them.

How I expect reviewers to test this PR:
unit tests / run it.

Checklist:

• Tests added
• CHANGELOG entry added (HashiCorp engineers only, community PRs should not add a changelog entry)

[ishustava]

Looks great!! The only thing that's blocking I think is failing when security context of the application container (not only pod) uses the same uid as Envoy. Everything else looks great!

[ishustava]

Also use RunAsNonRoot: false for connect-init's container when tproxy is enabled.

should this be recorded as a bug?

[kschoche]

Sure! good idea!

[ishustava]

🙏

[lkysow]

Looks good. Mainly wondering about the uid for the copy container.

[lkysow]

Suggested change

	* Connect: Use `RunAsNonRoot: false` for connect-init's container when tproxy is enabled. [[GH-493](https://github.com/hashicorp/consul-k8s/pull/493)]
	* Connect: Use `runAsNonRoot: false` for connect-init's container when tproxy is enabled. [[GH-493](https://github.com/hashicorp/consul-k8s/pull/493)]

[lkysow]

I found this comment confusing because it says it's envoy's UID but then it says it's for the command consul connect redirect-traffic.

Upon further reading I see that this is what gets passed into that command's -proxy-uid flag so that makes sense now but I'm thinking this comment should either just say "this is envoy's linux user id" without talking about the redirect-traffic command or it should say "this is envoy's linux user id that will be passed to the -proxy-uid flag of consul connect redirect-traffic".

[lkysow]

Suggested change

	// EnvoyUID is the UID that `consul connect redirect-traffic` will use when tproxy is enabled.
	// EnvoyUID is the Linux user ID that `consul connect redirect-traffic` will use when tproxy is enabled.

For folks that don't know what UID stands for.

[lkysow]

why does the copy container need to run as the envoy user?

[kschoche]

Without setting a UID it will run as root because that is the default of the consul container.

[lkysow]

Ahh interesting. So we can pick any random uid here as long at it's not 0 and we're good?

Can you add a comment explaining that here 🙏

[kschoche]

Yup, exactly! And I just picked the same UID as envoy so I didn't have to make another constant. I'll definitely add a comment to clarify thanks for pointing this out!!

$ kubectl exec -it counting -c envoy-sidecar -- sh
/ $ ls -lah /consul/connect-inject/consul
-rwxr-xr-x    1 5995     5995      111.7M Apr 20 20:44 /consul/connect-inject/consul

[ishustava]

Maybe to avoid confusion, we should use a different user? In the RFC, we proposed 5996.

[lkysow]

I think we can pass it in as an int since the template will render it corrctly.

[lkysow]

Looks like none of the test cases set CmdNot so you can remove this field altogether.

[kschoche]

nice catch!

[lkysow]

🍺

[lkysow]

Suggested change

	return corev1.Container{}, fmt.Errorf("user containers cannot have the same uid as envoy: %v", envoyUserAndGroupID)
	return corev1.Container{}, fmt.Errorf("container %q has runAsUser set to the same uid %q as envoy which is not allowed", c.Name, envoyUserAndGroupID)

This error will be shown during kubectl describe so I think it should make sense in that context and be as helpful as possible. A user won't think of their containers as "user containers", they'll just think of them as their pod's containers. Nice to include the specific container's name too. This is just a suggestion for a possible error that meets that criteria.

[lkysow]

👍 good test coverage.

[ishustava]

I think we should also call out that we will error out if you have the same user as envoy as a breaking change. Unless we want to error out only when tproxy is enabled.

[kschoche]

Yeah good point. But now I have a FEATURE + BREAKING CHANGE + BUG FIX entry in the changelog against the same PR, can we consolidate this somehow?

[ishustava]

Haha, yes that's true. Maybe change the non-bug fix to a breaking change and add a note about what's breaking.

[kschoche]

@ishustava how does this look?

[ishustava]

Perfect!

[ishustava]

Maybe to avoid confusion, we should use a different user? In the RFC, we proposed 5996.

[kschoche]

Unused in this test.