Merge pull request tigera#2645 from sridhartigera/host-path-init

Use correct calico-node UID when running in non-privileged mode.
sridhartigera · May 18, 2023 · d21ee8c · d21ee8c
1 parent c99b7e5
commit d21ee8c
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 5 deletions.
diff --git a/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml b/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml
@@ -68,6 +68,12 @@ spec:
                   the cluster.  It should not match the workload interfaces (usually
                   named cali...).
                 type: string
+              bpfDisableGROForIfaces:
+                description: BPFDisableGROForIfaces is a regular expression that controls
+                  which interfaces Felix should disable the Generic Receive Offload
+                  [GRO] option.  It should not match the workload interfaces (usually
+                  named cali...).
+                type: string
               bpfDisableUnprivileged:
                 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
                   sysctl to disable unprivileged use of BPF.  This ensures that unprivileged

diff --git a/pkg/render/node.go b/pkg/render/node.go
@@ -1070,6 +1070,9 @@ func (c *nodeComponent) nodeContainer() corev1.Container {
 			"NET_BIND_SERVICE",
 			"NET_RAW",
 		}
+		// Set the privilege escalation to true so that routes, ipsets can be programmed.
+		sc.AllowPrivilegeEscalation = ptr.BoolToPtr(true)
+		sc.Capabilities.Drop = []corev1.Capability{}
 	}
 
 	lp, rp := c.nodeLivenessReadinessProbes()
@@ -1660,9 +1663,9 @@ func (c *nodeComponent) hostPathInitContainer() corev1.Container {
 		Image:   c.nodeImage,
 		Command: []string{"sh", "-c", "calico-node -hostpath-init"},
 		Env: []corev1.EnvVar{
-			{Name: "NODE_USER_ID", Value: "999"},
+			{Name: "NODE_USER_ID", Value: "10001"},
 		},
-		SecurityContext: securitycontext.NewRootContext(false),
+		SecurityContext: securitycontext.NewRootContext(true),
 		VolumeMounts:    mounts,
 	}
 }

diff --git a/pkg/render/node_test.go b/pkg/render/node_test.go
@@ -841,14 +841,14 @@ var _ = Describe("Node rendering tests", func() {
 				nodeContainer := rtest.GetContainer(ds.Spec.Template.Spec.Containers, "calico-node")
 				Expect(nodeContainer).ToNot(BeNil())
 				Expect(nodeContainer.SecurityContext).ToNot(BeNil())
-				Expect(*nodeContainer.SecurityContext.AllowPrivilegeEscalation).To(BeFalse())
+				Expect(*nodeContainer.SecurityContext.AllowPrivilegeEscalation).To(BeTrue())
 				Expect(*nodeContainer.SecurityContext.Privileged).To(BeFalse())
 				Expect(*nodeContainer.SecurityContext.RunAsGroup).To(BeEquivalentTo(0))
 				Expect(*nodeContainer.SecurityContext.RunAsNonRoot).To(BeTrue())
 				Expect(*nodeContainer.SecurityContext.RunAsUser).To(BeEquivalentTo(10001))
 				Expect(nodeContainer.SecurityContext.Capabilities).To(Equal(
 					&corev1.Capabilities{
-						Drop: []corev1.Capability{"ALL"},
+						Drop: []corev1.Capability{},
 						Add: []corev1.Capability{
 							"NET_ADMIN",
 							"NET_BIND_SERVICE",
@@ -863,7 +863,7 @@ var _ = Describe("Node rendering tests", func() {
 
 				// hostpath init container should have the correct env and security context.
 				hostPathContainer := rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "hostpath-init")
-				rtest.ExpectEnv(hostPathContainer.Env, "NODE_USER_ID", "999")
+				rtest.ExpectEnv(hostPathContainer.Env, "NODE_USER_ID", "10001")
 				Expect(*hostPathContainer.SecurityContext.RunAsUser).To(Equal(int64(0)))
 
 				// Verify hostpath init container volume mounts.