feat: make group ID configurable

charts/linkerd-control-plane/README.md

@@ -148,6 +148,7 @@ Kubernetes: `>=1.22.0-0`
 | controlPlaneTracingNamespace | string | `"linkerd-jaeger"` | namespace to send control plane traces to |
 | controller.podDisruptionBudget | object | `{"maxUnavailable":1}` | sets pod disruption budget parameter for all deployments |
 | controller.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number of pods that can be unavailable during disruption |
+| controllerGID | int | `-1` | Optional customisation of the group ID for the control plane components (the group ID will be omitted if lower than 0) |
 | controllerImage | string | `"cr.l5d.io/linkerd/controller"` | Docker image for the destination and identity components |
 | controllerImageVersion | string | `""` | Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage. |
 | controllerLogFormat | string | `"plain"` | Log format for the control plane components |
@@ -240,6 +241,7 @@ Kubernetes: `>=1.22.0-0`
 | proxy.disableInboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the inbound side of the proxy by setting it to a very high value |
 | proxy.disableOutboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the outbound side of the proxy by setting it to a very high value |
 | proxy.enableExternalProfiles | bool | `false` | Enable service profiles for non-Kubernetes services |
+| proxy.gid | int | `-1` | Optional customisation of the group id under which the proxy runs (the group ID will be omitted if lower than 0) |
 | proxy.image.name | string | `"cr.l5d.io/linkerd/proxy"` | Docker image for the proxy |
 | proxy.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy container image |
 | proxy.image.version | string | linkerdVersion | Tag for the proxy container image |
@@ -291,6 +293,7 @@ Kubernetes: `>=1.22.0-0`
 | proxyInit.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the proxy-init container requests |
 | proxyInit.resources.memory.limit | string | `"20Mi"` | Maximum amount of memory that the proxy-init container can use |
 | proxyInit.resources.memory.request | string | `"20Mi"` | Amount of memory that the proxy-init container requests |
+| proxyInit.runAsGroup | int | `65534` | This value is used only if runAsRoot is false; otherwise runAsGroup will be 0 |
 | proxyInit.runAsRoot | bool | `false` | Allow overriding the runAsNonRoot behaviour (<https://github.com/linkerd/linkerd2/issues/7308>) |
 | proxyInit.runAsUser | int | `65534` | This value is used only if runAsRoot is false; otherwise runAsUser will be 0 |
 | proxyInit.skipSubnets | string | `""` | Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy |

charts/linkerd-control-plane/templates/destination.yaml

@@ -256,6 +256,9 @@ spec:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: {{.Values.controllerUID}}
+          {{- if ge (int .Values.controllerGID) 0 }}
+          runAsGroup: {{.Values.controllerGID}}
+          {{- end }}
           allowPrivilegeEscalation: false
           seccompProfile:
             type: RuntimeDefault
@@ -301,6 +304,9 @@ spec:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: {{.Values.controllerUID}}
+          {{- if ge (int .Values.controllerGID) 0 }}
+          runAsGroup: {{.Values.controllerGID}}
+          {{- end }}
           allowPrivilegeEscalation: false
           seccompProfile:
             type: RuntimeDefault
@@ -361,6 +367,9 @@ spec:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: {{.Values.controllerUID}}
+          {{- if ge (int .Values.controllerGID) 0 }}
+          runAsGroup: {{.Values.controllerGID}}
+          {{- end }}
           allowPrivilegeEscalation: false
           seccompProfile:
             type: RuntimeDefault

charts/linkerd-control-plane/templates/heartbeat.yaml

@@ -85,6 +85,9 @@ spec:
               readOnlyRootFilesystem: true
               runAsNonRoot: true
               runAsUser: {{.Values.controllerUID}}
+              {{- if ge (int .Values.controllerGID) 0 }}
+              runAsGroup: {{.Values.controllerGID}}
+              {{- end }}
               allowPrivilegeEscalation: false
               seccompProfile:
                 type: RuntimeDefault

charts/linkerd-control-plane/templates/identity.yaml

@@ -200,6 +200,9 @@ spec:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: {{.Values.controllerUID}}
+          {{- if ge (int .Values.controllerGID) 0 }}
+          runAsGroup: {{.Values.controllerGID}}
+          {{- end }}
           allowPrivilegeEscalation: false
           seccompProfile:
             type: RuntimeDefault

charts/linkerd-control-plane/templates/proxy-injector.yaml

@@ -119,6 +119,9 @@ spec:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: {{.Values.controllerUID}}
+          {{- if ge (int .Values.controllerGID) 0 }}
+          runAsGroup: {{.Values.controllerGID}}
+          {{- end }}
           allowPrivilegeEscalation: false
           seccompProfile:
             type: RuntimeDefault

charts/linkerd-control-plane/templates/psp.yaml

@@ -37,6 +37,15 @@ spec:
     {{- else }}
     rule: RunAsAny
     {{- end }}
+  runAsGroup:
+    {{- if .Values.cniEnabled }}
+    rule: MustRunAs
+    ranges:
+    - min: 1000
+      max: 999999
+    {{- else }}
+    rule: RunAsAny
+    {{- end }}
   supplementalGroups:
     rule: MustRunAs
     ranges:

charts/linkerd-control-plane/values.yaml

@@ -184,6 +184,9 @@ proxy:
       request: ""
   # -- User id under which the proxy runs
   uid: 2102
+  # -- (int) Optional customisation of the group id under which the proxy runs (the group ID will be omitted if lower than 0)
+  gid: -1
+
   # -- If set the injected proxy sidecars in the data plane will stay alive for
   # at least the given period before receiving the SIGTERM signal from
   # Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`.
@@ -313,6 +316,8 @@ proxyInit:
   runAsRoot: false
   # -- This value is used only if runAsRoot is false; otherwise runAsUser will be 0
   runAsUser: 65534
+  # -- This value is used only if runAsRoot is false; otherwise runAsGroup will be 0
+  runAsGroup: 65534
   xtMountPath:
     mountPath: /run
     name: linkerd-proxy-init-xtables-lock
@@ -360,6 +365,8 @@ controllerImageVersion: ""
 controllerReplicas: 1
 # -- User ID for the control plane components
 controllerUID: 2103
+# -- (int) Optional customisation of the group ID for the control plane components (the group ID will be omitted if lower than 0)
+controllerGID: -1
 
 # destination configuration
 # set resources for the sp-validator and its linkerd proxy respectively

charts/linkerd2-cni/README.md

@@ -44,6 +44,7 @@ Kubernetes: `>=1.22.0-0`
 | privileged | bool | `false` | Run the install-cni container in privileged mode |
 | proxyAdminPort | int | `4191` | Admin port for the proxy container |
 | proxyControlPort | int | `4190` | Control port for the proxy container |
+| proxyGID | int | `-1` | Optional customisation of the group id under which the proxy shall be ran (the group ID will be omitted if lower than 0) |
 | proxyUID | int | `2102` | User id under which the proxy shall be ran |
 | repairController.enableSecurityContext | bool | `true` | Include a securityContext in the repair-controller container |
 | repairController.enabled | bool | `false` | Enables the repair-controller container |

charts/linkerd2-cni/templates/cni-plugin.yaml

@@ -59,6 +59,8 @@ spec:
     rule: RunAsAny
   runAsUser:
     rule: RunAsAny
+  runAsGroup:
+    rule: RunAsAny
   seLinux:
     rule: RunAsAny
   supplementalGroups:
@@ -168,6 +170,9 @@ data:
         "incoming-proxy-port": {{.Values.inboundProxyPort}},
         "outgoing-proxy-port": {{.Values.outboundProxyPort}},
         "proxy-uid": {{.Values.proxyUID}},
+        {{- if ge (int .Values.proxyGID) 0 }}
+        "proxy-gid": {{.Values.proxyGID}},
+        {{- end }}
         "ports-to-redirect": [{{.Values.portsToRedirect}}],
         "inbound-ports-to-ignore": ["{{- .Values.proxyAdminPort }}","{{ .Values.proxyControlPort }}"
         {{- if .Values.ignoreInboundPorts }},{{- include "partials.splitStringList" .Values.ignoreInboundPorts -}}{{- end }}],

charts/linkerd2-cni/values.yaml

@@ -20,6 +20,8 @@ logLevel:         info
 portsToRedirect:  ""
 # -- User id under which the proxy shall be ran
 proxyUID:         2102
+# -- (int) Optional customisation of the group id under which the proxy shall be ran (the group ID will be omitted if lower than 0)
+proxyGID: -1
 # -- Directory on the host where the CNI plugin binaries reside
 destCNINetDir:    "/etc/cni/net.d"
 # -- Directory on the host where the CNI configuration will be placed

charts/partials/templates/_network-validator.tpl

@@ -10,6 +10,7 @@ securityContext:
     drop:
     - ALL
   readOnlyRootFilesystem: true
+  runAsGroup: 65534
   runAsNonRoot: true
   runAsUser: 65534
   seccompProfile:

charts/partials/templates/_proxy-init.tpl

@@ -17,6 +17,10 @@ args:
 - {{.Values.proxy.ports.outbound | quote}}
 - --proxy-uid
 - {{.Values.proxy.uid | quote}}
+{{- if ge (int .Values.proxy.gid) 0 }}
+- --proxy-gid
+- {{.Values.proxy.gid | quote}}
+{{- end }}
 - --inbound-ports-to-ignore
 - "{{.Values.proxy.ports.control}},{{.Values.proxy.ports.admin}}{{ternary (printf ",%s" (.Values.proxyInit.ignoreInboundPorts | toString)) "" (not (empty .Values.proxyInit.ignoreInboundPorts)) }}"
 {{- if .Values.proxyInit.ignoreOutboundPorts }}
@@ -67,11 +71,13 @@ securityContext:
   privileged: false
   {{- end }}
   {{- if .Values.proxyInit.runAsRoot }}
+  runAsGroup: 0
   runAsNonRoot: false
   runAsUser: 0
   {{- else }}
   runAsNonRoot: true
   runAsUser: {{ .Values.proxyInit.runAsUser | int | eq 0 | ternary 65534 .Values.proxyInit.runAsUser }}
+  runAsGroup: {{ .Values.proxyInit.runAsGroup | int | eq 0 | ternary 65534 .Values.proxyInit.runAsGroup }}
   {{- end }}
   readOnlyRootFilesystem: true
   seccompProfile:

charts/partials/templates/_proxy.tpl

@@ -220,6 +220,9 @@ securityContext:
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: {{.Values.proxy.uid}}
+{{- if ge (int .Values.proxy.gid) 0 }}
+  runAsGroup: {{.Values.proxy.gid}}
+{{- end }}
   seccompProfile:
     type: RuntimeDefault
 terminationMessagePolicy: FallbackToLogsOnError

cli/cmd/doc.go

@@ -208,6 +208,10 @@ func generateAnnotationsDocs() []annotationDoc {
 			Name:        k8s.ProxyUIDAnnotation,
 			Description: "Run the proxy under this user ID",
 		},
+		{
+			Name:        k8s.ProxyGIDAnnotation,
+			Description: "Run the proxy under this group ID",
+		},
 		{
 			Name:        k8s.ProxyLogLevelAnnotation,
 			Description: "Log level for the proxy",

cli/cmd/inject.go

@@ -438,6 +438,10 @@ func getOverrideAnnotations(values *linkerd2.Values, base *linkerd2.Values) map[
 		overrideAnnotations[k8s.ProxyUIDAnnotation] = strconv.FormatInt(proxy.UID, 10)
 	}
 
+	if proxy.GID >= 0 && (baseProxy.GID < 0 || proxy.GID != baseProxy.GID) {
+		overrideAnnotations[k8s.ProxyGIDAnnotation] = strconv.FormatInt(proxy.GID, 10)
+	}
+
 	if proxy.LogLevel != baseProxy.LogLevel {
 		overrideAnnotations[k8s.ProxyLogLevelAnnotation] = proxy.LogLevel
 	}

cli/cmd/inject_test.go

@@ -708,6 +708,7 @@ func TestProxyConfigurationAnnotations(t *testing.T) {
 	values.Proxy.Ports.Inbound = 4144
 	values.Proxy.Ports.Outbound = 4141
 	values.Proxy.UID = 999
+	values.Proxy.GID = 999
 	values.Proxy.LogLevel = "debug"
 	values.Proxy.LogFormat = "cool"
 	values.Proxy.EnableExternalProfiles = true
@@ -729,6 +730,7 @@ func TestProxyConfigurationAnnotations(t *testing.T) {
 		k8s.ProxyInboundPortAnnotation:         "4144",
 		k8s.ProxyOutboundPortAnnotation:        "4141",
 		k8s.ProxyUIDAnnotation:                 "999",
+		k8s.ProxyGIDAnnotation:                 "999",
 		k8s.ProxyLogLevelAnnotation:            "debug",
 		k8s.ProxyLogFormatAnnotation:           "cool",
 

cli/cmd/install-cni-plugin.go

@@ -42,6 +42,7 @@ type cniPluginOptions struct {
 	ignoreOutboundPorts []string
 	portsToRedirect     []uint
 	proxyUID            int64
+	proxyGID            int64
 	image               cniPluginImage
 	logLevel            string
 	destCNINetDir       string
@@ -120,6 +121,7 @@ The installation can be configured by using the --set, --values, --set-string an
 	cmd.PersistentFlags().StringVar(&options.dockerRegistry, "registry", options.dockerRegistry,
 		fmt.Sprintf("Docker registry to pull images from ($%s)", flags.EnvOverrideDockerRegistry))
 	cmd.PersistentFlags().Int64Var(&options.proxyUID, "proxy-uid", options.proxyUID, "Run the proxy under this user ID")
+	cmd.PersistentFlags().Int64Var(&options.proxyGID, "proxy-gid", options.proxyGID, "Run the proxy under this group ID")
 	cmd.PersistentFlags().UintVar(&options.inboundPort, "inbound-port", options.inboundPort, "Proxy port to use for inbound traffic")
 	cmd.PersistentFlags().UintVar(&options.outboundPort, "outbound-port", options.outboundPort, "Proxy port to use for outbound traffic")
 	cmd.PersistentFlags().UintVar(&options.proxyControlPort, "control-port", options.proxyControlPort, "Proxy port to use for control")
@@ -165,6 +167,7 @@ func newCNIInstallOptionsWithDefaults() (*cniPluginOptions, error) {
 		ignoreInboundPorts:  nil,
 		ignoreOutboundPorts: nil,
 		proxyUID:            defaults.ProxyUID,
+		proxyGID:            defaults.ProxyGID,
 		image:               cniPluginImage,
 		logLevel:            "info",
 		destCNINetDir:       defaults.DestCNINetDir,
@@ -203,6 +206,7 @@ func (options *cniPluginOptions) buildValues() (*cnicharts.Values, error) {
 	installValues.IgnoreOutboundPorts = strings.Join(options.ignoreOutboundPorts, ",")
 	installValues.PortsToRedirect = strings.Join(portsToRedirect, ",")
 	installValues.ProxyUID = options.proxyUID
+	installValues.ProxyGID = options.proxyGID
 	installValues.DestCNINetDir = options.destCNINetDir
 	installValues.DestCNIBinDir = options.destCNIBinDir
 	installValues.UseWaitFlag = options.useWaitFlag

cli/cmd/install-cni-plugin_test.go

@@ -29,6 +29,7 @@ func TestRenderCNIPlugin(t *testing.T) {
 		ignoreInboundPorts:  make([]string, 0),
 		ignoreOutboundPorts: make([]string, 0),
 		proxyUID:            12102,
+		proxyGID:            12102,
 		image:               image,
 		logLevel:            "debug",
 		destCNINetDir:       "/etc/kubernetes/cni/net.d",
@@ -46,6 +47,7 @@ func TestRenderCNIPlugin(t *testing.T) {
 		ignoreInboundPorts:  make([]string, 0),
 		ignoreOutboundPorts: make([]string, 0),
 		proxyUID:            12102,
+		proxyGID:            12102,
 		image:               image,
 		logLevel:            "debug",
 		destCNINetDir:       "/etc/kubernetes/cni/net.d",
@@ -63,6 +65,7 @@ func TestRenderCNIPlugin(t *testing.T) {
 		ignoreInboundPorts:  make([]string, 0),
 		ignoreOutboundPorts: make([]string, 0),
 		proxyUID:            12102,
+		proxyGID:            12102,
 		image:               image,
 		logLevel:            "debug",
 		destCNINetDir:       "/etc/kubernetes/cni/net.d",

cli/cmd/install_cni_helm_test.go

@@ -18,7 +18,7 @@ func TestRenderCniHelm(t *testing.T) {
 	// override most defaults with pinned values.
 	// use the Helm lib to render the templates.
 	// the golden file is generated using the following `helm template` command:
-	// bin/helm template --set namespace="linkerd-test" --set inboundProxyPort=1234 --set outboundProxyPort=5678 --set cniPluginImage="cr.l5d.io/linkerd/cni-plugin-test" --set cniPluginVersion="test-version" --set logLevel="debug" --set proxyUID=1111 --set destCNINetDir="/etc/cni/net.d-test" --set destCNIBinDir="/opt/cni/bin-test" --set useWaitFlag=true --set cliVersion=test-version charts/linkerd2-cni
+	// bin/helm template --set namespace="linkerd-test" --set inboundProxyPort=1234 --set outboundProxyPort=5678 --set cniPluginImage="cr.l5d.io/linkerd/cni-plugin-test" --set cniPluginVersion="test-version" --set logLevel="debug" --set proxyUID=1111 --set proxyGID=1111 --set destCNINetDir="/etc/cni/net.d-test" --set destCNIBinDir="/opt/cni/bin-test" --set useWaitFlag=true --set cliVersion=test-version charts/linkerd2-cni
 
 	t.Run("Cni Install with defaults", func(t *testing.T) {
 		chartCni := chartCniPlugin(t)
@@ -38,6 +38,7 @@ func TestRenderCniHelm(t *testing.T) {
 				"version": "v1.4.0"
 			},
   			"proxyUID": 1111,
+  			"proxyGID": 1111,
   			"destCNINetDir": "/etc/cni/net.d-test",
   			"destCNIBinDir": "/opt/cni/bin-test",
   			"useWaitFlag": true,

cli/cmd/install_helm_test.go

@@ -35,6 +35,16 @@ func TestRenderHelm(t *testing.T) {
 		testRenderHelm(t, chartControlPlane, "install_helm_control_plane_output_ha.golden")
 	})
 
+	t.Run("HA mode with GID", func(t *testing.T) {
+		additionalConfig := `
+controllerGID: 1324
+proxy:
+  gid: 4231
+`
+		chartControlPlane := chartControlPlane(t, true, additionalConfig, "111", "222")
+		testRenderHelm(t, chartControlPlane, "install_helm_control_plane_output_ha_with_gid.golden")
+	})
+
 	t.Run("HA mode with podLabels and podAnnotations", func(t *testing.T) {
 		additionalConfig := `
 podLabels: