traefik · faust64 · Jan 14, 2021 · Jan 21, 2021 · Jan 21, 2021 · Jan 21, 2021
diff --git a/traefik/Chart.yaml b/traefik/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: traefik
 description: A Traefik based Kubernetes ingress controller
 type: application
-version: 10.15.0
+version: 10.15.1
 appVersion: 2.6.1
 keywords:
   - traefik

diff --git a/traefik/templates/_helpers.tpl b/traefik/templates/_helpers.tpl
@@ -32,6 +32,30 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Overrides hostNetwork value in container definition, when at least one of the hostPorts exposed mismatches containerPort.
+*/}}
+{{- define "traefik.sethostnet" -}}
+    {{- if .Values.hostNetwork -}}
+        {{- range $name, $config := .Values.ports -}}
+            {{- if $config -}}
+                {{- if $config.hostPort -}}
+                    {{- if ne ($config.hostPort | int) ($config.port | int) -}}
+1
+                    {{- end -}}
+                {{- end -}}
+            {{- end -}}
+        {{- end -}}
+    {{- end -}}
+{{- end -}}
+{{- define "traefik.hostnetwork" -}}
+    {{- if gt (len (include "traefik.sethostnet" .)) 0 -}}
+false
+    {{- else -}}
+{{- .Values.hostNetwork -}}
+    {{- end -}}
+{{- end -}}
+
 {{/*
 The name of the service account to use
 */}}

diff --git a/traefik/templates/_podtemplate.tpl b/traefik/templates/_podtemplate.tpl
@@ -26,7 +26,7 @@
       {{- end }}
       serviceAccountName: {{ include "traefik.serviceAccountName" . }}
       terminationGracePeriodSeconds: {{ default 60 .Values.deployment.terminationGracePeriodSeconds }}
-      hostNetwork: {{ .Values.hostNetwork }}
+      hostNetwork: {{ template "traefik.hostnetwork" . }}
       {{- with .Values.deployment.dnsPolicy }}
       dnsPolicy: {{ . }}
       {{- end }}

diff --git a/traefik/templates/rbac/ingressclass-clusterrole.yaml b/traefik/templates/rbac/ingressclass-clusterrole.yaml
@@ -0,0 +1,22 @@
+{{- if and .Values.rbac.enabled .Values.rbac.namespaced }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "traefik.fullname" . }}-{{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "traefik.name" . }}
+    helm.sh/chart: {{ template "traefik.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+rules:
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+{{- end -}}
diff --git a/traefik/templates/rbac/ingressclass-clusterrolebinding.yaml b/traefik/templates/rbac/ingressclass-clusterrolebinding.yaml
@@ -0,0 +1,20 @@
+{{- if and .Values.rbac.enabled .Values.rbac.namespaced }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "traefik.fullname" . }}-{{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "traefik.name" . }}
+    helm.sh/chart: {{ template "traefik.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "traefik.fullname" . }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "traefik.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}
diff --git a/traefik/templates/rbac/podsecuritypolicy.yaml b/traefik/templates/rbac/podsecuritypolicy.yaml
@@ -13,13 +13,17 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/instance: {{ .Release.Name }}
 spec:
-  privileged: false
-  allowPrivilegeEscalation: false
   requiredDropCapabilities:
     - ALL
 {{- if not .Values.securityContext.runAsNonRoot }}
   allowedCapabilities:
     - NET_BIND_SERVICE
+  allowPrivilegeEscalation: true
+  privileged: true
+{{- else }}
+  allowedCapabilities: []
+  allowPrivilegeEscalation: false
+  privileged: false
 {{- end }}
   hostNetwork: {{ .Values.hostNetwork }}
   hostIPC: false
@@ -65,4 +69,4 @@ spec:
 {{- if .Values.persistence.enabled }}
   - persistentVolumeClaim
 {{- end -}}
-{{- end -}}
+{{- end -}}
diff --git a/traefik/templates/rbac/role.yaml b/traefik/templates/rbac/role.yaml
@@ -1,4 +1,5 @@
 {{- if and .Values.rbac.enabled .Values.rbac.namespaced }}
+---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

diff --git a/traefik/templates/rbac/rolebinding.yaml b/traefik/templates/rbac/rolebinding.yaml
@@ -1,4 +1,5 @@
 {{- if and .Values.rbac.enabled .Values.rbac.namespaced }}
+---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

diff --git a/traefik/tests/pod-config_test.yaml b/traefik/tests/pod-config_test.yaml
@@ -217,6 +217,36 @@ tests:
           content:
             key: "RSA"
             operator: "Destructor"
+  - it: should request hostNetwork at Pod level when containerPort equals hostPort
+    set:
+      hostNetwork: true
+      ports:
+        web:
+          expose: true
+          hostPort: 8080
+          port: 8080
+        websecure:
+          expose: true
+          hostPort: 8443
+          port: 8443
+    asserts:
+      - equal:
+          path: spec.template.spec.hostnetwork
+          content: true
+  - it: should not request hostNetwork at Pod level when containerPort mistmatches hostPort
+    set:
+      hostNetwork: true
+      ports:
+        web:
+          port: 8080
+          hostPort: 80
+        websecure:
+          port: 8443
+          hostPort: 443
+    asserts:
+      - equal:
+          path: spec.template.spec.hostnetwork
+          content: false
   - it: should have all k8s provider enabled when gateway provider is enabled
     set:
       experimental:

diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml
@@ -8,6 +8,12 @@ tests:
       - isKind:
           of: ClusterRoleBinding
         template: rbac/clusterrolebinding.yaml
+      - hasDocuments:
+          count: 0
+        template: rbac/ingressclass-clusterrole.yaml
+      - hasDocuments:
+          count: 0
+        template: rbac/ingressclass-clusterrolebinding.yaml
       - hasDocuments:
           count: 0
         template: rbac/role.yaml
@@ -40,6 +46,12 @@ tests:
       - hasDocuments:
           count: 0
         template: rbac/clusterrolebinding.yaml
+      - hasDocuments:
+          count: 0
+        template: rbac/ingressclass-clusterrole.yaml
+      - hasDocuments:
+          count: 0
+        template: rbac/ingressclass-clusterrolebinding.yaml
       - hasDocuments:
           count: 0
         template: rbac/role.yaml
@@ -57,6 +69,12 @@ tests:
       - isKind:
           of: RoleBinding
         template: rbac/rolebinding.yaml
+      - isKind:
+          of: ClusterRole
+        template: rbac/ingressclass-clusterrole.yaml
+      - isKind:
+          of: ClusterRoleBinding
+        template: rbac/ingressclass-clusterrolebinding.yaml
       - hasDocuments:
           count: 0
         template: rbac/clusterrole.yaml

diff --git a/traefik/tests/traefik-config_test.yaml b/traefik/tests/traefik-config_test.yaml
@@ -101,16 +101,6 @@ tests:
       - contains:
           path: spec.template.spec.containers[0].args
           content: "--providers.kubernetesingress.ingressendpoint.publishedservice=foo/bar"
-
-  - it: should allow cross namespace services when specified in configuration
-    set:
-        providers:
-          kubernetesCRD:
-            allowCrossNamespace: true
-    asserts:
-      - contains:
-          path: spec.template.spec.containers[0].args
-          content: "--providers.kubernetescrd.allowCrossNamespace=true"
   - it: should allow external name services when specified in configuration
     set:
         providers:
@@ -208,7 +198,32 @@ tests:
         - equal:
             path: spec.template.spec.containers[0].volumeMounts[3].mountPath
             value: /var/log/traefik
-
+  - it: should set KubernetesCRD allowCrossNamespace
+    set:
+      providers:
+        kubernetesCRD:
+          allowCrossNamespace: true
+          enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--providers.kubernetescrd.allowCrossNamespace=true"
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--providers.kubernetescrd"
+  - it: should disable KubernetesCRD allowCrossNamespace
+    set:
+      providers:
+        kubernetesCRD:
+          allowCrossNamespace: false
+          enabled: true
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: "--providers.kubernetescrd.allowCrossNamespace=true"
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--providers.kubernetescrd"
   - it: should set custom probe port
     set:
       additionalArguments: