Add all securityContext fields in injected containers

Fixes #17318
istio · Dec 28, 2019 · 4735658 · 4735658
1 parent d5f7e40
commit 4735658
Showing 1 changed file with 31 additions and 18 deletions.
diff --git a/install/kubernetes/helm/istio/files/injection-template.yaml b/install/kubernetes/helm/istio/files/injection-template.yaml
@@ -42,14 +42,18 @@ initContainers:
   resources: {}
 {{- end }}
   securityContext:
-    runAsUser: 0
-    runAsNonRoot: false
+    allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
     capabilities:
       add:
       - NET_ADMIN
-    {{- if .Values.global.proxy.privileged }}
-    privileged: true
-    {{- end }}
+      - NET_RAW
+      drop:
+      - ALL
+    privileged: {{ .Values.global.proxy.privileged }}
+    readOnlyRootFilesystem: false
+    runAsGroup: 0
+    runAsNonRoot: false
+    runAsUser: 0
   restartPolicy: Always
 {{- end }}
 {{  end -}}
@@ -64,9 +68,17 @@ initContainers:
   imagePullPolicy: IfNotPresent
   resources: {}
   securityContext:
-    runAsUser: 0
-    runAsNonRoot: false
+    allowPrivilegeEscalation: true
+    capabilities:
+      add:
+      - SYS_ADMIN
+      drop:
+      - ALL
     privileged: true
+    readOnlyRootFilesystem: false
+    runAsGroup: 0
+    runAsNonRoot: false
+    runAsUser: 0
 {{ end }}
 {{- end }}
 containers:
@@ -265,21 +277,22 @@ containers:
     failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
   {{ end -}}
   securityContext:
-    {{- if .Values.global.proxy.privileged }}
-    privileged: true
-    {{- end }}
-    {{- if ne .Values.global.proxy.enableCoreDump true }}
-    readOnlyRootFilesystem: true
-    {{- end }}
-    {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
+    allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
     capabilities:
+      {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
       add:
       - NET_ADMIN
+      {{- end }}
+      drop:
+      - ALL
+    privileged: {{ .Values.global.proxy.privileged }}
+    readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}
     runAsGroup: 1337
-    {{ else -}}
-    {{ if .Values.global.sds.enabled }}
-    runAsGroup: 1337
-    {{- end }}
+    {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
+    runAsNonRoot: false
+    runAsUser: 0
+    {{- else -}}
+    runAsNonRoot: true
     runAsUser: 1337
     {{- end }}
   resources: