Add support for runAsUser and runAsGroup for injected sidecar

Signed-off-by: Anton Troshin <anton@diagrid.io>
QaColony · Sep 17, 2024 · 4022ae0 · 4022ae0
1 parent 9bc98db
commit 4022ae0
Show file tree

Hide file tree

Showing 7 changed files with 79 additions and 1 deletion.
diff --git a/charts/dapr/README.md b/charts/dapr/README.md
@@ -217,7 +217,9 @@ The Helm chart has the follow configuration options that can be supplied:
 | `dapr_sidecar_injector.injectorImage.name`                | Docker image name for sidecar injector service (`global.registry/dapr_sidecar_injector.injectorImage.name`)                                                                                                                                                                                                                                                                                                                                                            | `injector`|
 | `dapr_sidecar_injector.webhookFailurePolicy`              | Failure policy for the sidecar injector                                                                                                                                                                                                                                                                                                                                                                                                                                | `Ignore`                |
 | `dapr_sidecar_injector.runAsNonRoot`                      | Boolean value for `securityContext.runAsNonRoot` for the Sidecar Injector container itself. You may have to set this to `false` when running in Minikube                                                                                                                                                                                                                                                                                                               | `true` |
-| `dapr_sidecar_injector.sidecarRunAsNonRoot` | When this boolean value is true (the default), the injected sidecar containers have `runAsRoot: true`. You may have to set this to `false` when running Minikube | `true` |
+| `dapr_sidecar_injector.sidecarRunAsNonRoot` | When this boolean value is true (the default), the injected sidecar containers have `runAsNonRoot: true`. You may have to set this to `false` when running Minikube | `true` |
+| `dapr_sidecar_injector.sidecarRunAsUser` | When set and larger than 0, sets the User ID as a `securityContext.runAsUser` value of the injected sidecar container. | `` |
+| `dapr_sidecar_injector.sidecarRunAsGroup` | When set and larger than 0, sets the Group ID as a `securityContext.runAsGroup` value of the injected sidecar container. | `` |
 | `dapr_sidecar_injector.sidecarReadOnlyRootFilesystem` | When this boolean value is true (the default), the injected sidecar containers have `readOnlyRootFilesystem: true` | `true` |
 | `dapr_sidecar_injector.enableK8sDownwardAPIs` | When set to true, uses the Kubernetes downward projection APIs to inject certain environmental variables (such as pod IP) into the daprd container. (default: `false`) | `true` |
 | `dapr_sidecar_injector.sidecarDropALLCapabilities` | When this boolean valus is true, the injected sidecar containers have `securityContext.capabilities.drop: ["ALL"]` | `false` |

diff --git a/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml b/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml
@@ -150,6 +150,14 @@ spec:
         # Configuration for injected sidecars
         - name: SIDECAR_RUN_AS_NON_ROOT
           value: {{ .Values.sidecarRunAsNonRoot | toString | toYaml }}
+{{- if and (.Values.sidecarRunAsUser) (gt .Values.sidecarRunAsUser 0) }}
+        - name: SIDECAR_RUN_AS_USER
+          value: {{ .Values.sidecarRunAsUser | toString | toYaml }}
+{{- end }}
+{{- if and (.Values.sidecarRunAsGroup) (gt .Values.sidecarRunAsGroup 0) }}
+        - name: SIDECAR_RUN_AS_GROUP
+          value: {{ .Values.sidecarRunAsGroup | toString | toYaml }}
+{{- end }}
         - name: ENABLE_K8S_DOWNWARD_APIS
           value: {{ .Values.enableK8sDownwardAPIs | toString | toYaml }}
         - name: SIDECAR_DROP_ALL_CAPABILITIES

diff --git a/pkg/injector/patcher/sidecar.go b/pkg/injector/patcher/sidecar.go
@@ -43,6 +43,8 @@ type SidecarConfig struct {
 	OperatorAddress             string
 	SentryAddress               string
 	RunAsNonRoot                bool
+	RunAsUser                   *int64
+	RunAsGroup                  *int64
 	EnableK8sDownwardAPIs       bool
 	ReadOnlyRootFilesystem      bool
 	SidecarDropALLCapabilities  bool

diff --git a/pkg/injector/patcher/sidecar_container.go b/pkg/injector/patcher/sidecar_container.go
@@ -212,6 +212,8 @@ func (c *SidecarConfig) getSidecarContainer(opts getSidecarContainerOpts) (*core
 	securityContext := &corev1.SecurityContext{
 		AllowPrivilegeEscalation: ptr.Of(false),
 		RunAsNonRoot:             ptr.Of(c.RunAsNonRoot),
+		RunAsUser:                c.RunAsUser,
+		RunAsGroup:               c.RunAsGroup,
 		ReadOnlyRootFilesystem:   ptr.Of(c.ReadOnlyRootFilesystem),
 	}
 	if c.SidecarSeccompProfileType != "" {
@@ -339,6 +341,10 @@ func (c *SidecarConfig) getSidecarContainer(opts getSidecarContainerOpts) (*core
 			// However certain security scanner may complain about this.
 			container.SecurityContext.RunAsNonRoot = ptr.Of(false)
 			container.SecurityContext.ReadOnlyRootFilesystem = ptr.Of(false)
+
+			// Set RunAsUser and RunAsGroup to default nil to avoid the error when specific user or group is set previously via helm chart.
+			container.SecurityContext.RunAsUser = nil
+			container.SecurityContext.RunAsGroup = nil
 			break
 		}
 	}

diff --git a/pkg/injector/service/config.go b/pkg/injector/service/config.go
@@ -16,6 +16,7 @@ package service
 import (
 	"encoding/json"
 	"fmt"
+	"strconv"
 
 	"github.com/kelseyhightower/envconfig"
 	corev1 "k8s.io/api/core/v1"
@@ -40,6 +41,8 @@ type Config struct {
 	RemindersServiceName              string `envconfig:"REMINDERS_SERVICE_NAME"`
 	RemindersServiceAddress           string `envconfig:"REMINDERS_SERVICE_ADDRESS"`
 	RunAsNonRoot                      string `envconfig:"SIDECAR_RUN_AS_NON_ROOT"`
+	RunAsUser                         string `envconfig:"SIDECAR_RUN_AS_USER"`
+	RunAsGroup                        string `envconfig:"SIDECAR_RUN_AS_GROUP"`
 	ReadOnlyRootFilesystem            string `envconfig:"SIDECAR_READ_ONLY_ROOT_FILESYSTEM"`
 	EnableK8sDownwardAPIs             string `envconfig:"ENABLE_K8S_DOWNWARD_APIS"`
 	SidecarDropALLCapabilities        string `envconfig:"SIDECAR_DROP_ALL_CAPABILITIES"`
@@ -56,6 +59,8 @@ type Config struct {
 	parsedEnableK8sDownwardAPIs      bool
 	parsedSidecarDropALLCapabilities bool
 	parsedEntrypointTolerations      []corev1.Toleration
+	parsedRunAsUser                  *int64
+	parsedRunAsGroup                 *int64
 }
 
 // NewConfigWithDefaults returns a Config object with default values already
@@ -119,6 +124,14 @@ func (c Config) GetRunAsNonRoot() bool {
 	return c.parsedRunAsNonRoot
 }
 
+func (c Config) GetRunAsUser() *int64 {
+	return c.parsedRunAsUser
+}
+
+func (c Config) GetRunAsGroup() *int64 {
+	return c.parsedRunAsGroup
+}
+
 func (c Config) GetReadOnlyRootFilesystem() bool {
 	return c.parsedReadOnlyRootFilesystem
 }
@@ -178,6 +191,10 @@ func (c *Config) parse() (err error) {
 	c.parsedEnableK8sDownwardAPIs = kitutils.IsTruthy(c.EnableK8sDownwardAPIs)
 	c.parsedSidecarDropALLCapabilities = kitutils.IsTruthy(c.SidecarDropALLCapabilities)
 
+	// Parse the runAsUser and runAsGroup
+	c.parsedRunAsUser = parseStringToInt64Pointer(c.RunAsUser)
+	c.parsedRunAsGroup = parseStringToInt64Pointer(c.RunAsGroup)
+
 	return nil
 }
 
@@ -204,3 +221,16 @@ func isTruthyDefaultTrue(val string) bool {
 	}
 	return kitutils.IsTruthy(val)
 }
+
+func parseStringToInt64Pointer(intStr string) *int64 {
+	if intStr == "" {
+		return nil
+	}
+	i, err := strconv.Atoi(intStr)
+	if err != nil {
+		log.Warnf("couldn't parse %s to int: %v", intStr, err)
+		return nil
+	}
+	i64 := int64(i)
+	return &i64
+}
diff --git a/pkg/injector/service/config_test.go b/pkg/injector/service/config_test.go
@@ -16,6 +16,7 @@ package service
 import (
 	"testing"
 
+	"github.com/dapr/kit/ptr"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
@@ -90,6 +91,33 @@ func TestGetInjectorConfig(t *testing.T) {
 		require.NoError(t, err)
 		assert.False(t, cfg.GetRunAsNonRoot())
 		assert.False(t, cfg.GetReadOnlyRootFilesystem())
+
+		// Set to default
+		t.Setenv("SIDECAR_RUN_AS_USER", "")
+		t.Setenv("SIDECAR_RUN_AS_GROUP", "")
+
+		cfg, err = GetConfig()
+		require.NoError(t, err)
+		assert.Nil(t, cfg.GetRunAsUser())
+		assert.Nil(t, cfg.GetRunAsGroup())
+
+		// Set to specific value
+		t.Setenv("SIDECAR_RUN_AS_USER", "1000")
+		t.Setenv("SIDECAR_RUN_AS_GROUP", "3000")
+
+		cfg, err = GetConfig()
+		require.NoError(t, err)
+		assert.Equal(t, ptr.Of(int64(1000)), cfg.GetRunAsUser())
+		assert.Equal(t, ptr.Of(int64(3000)), cfg.GetRunAsGroup())
+
+		// Set to invalid value
+		t.Setenv("SIDECAR_RUN_AS_USER", "invalid")
+		t.Setenv("SIDECAR_RUN_AS_GROUP", "invalid")
+
+		cfg, err = GetConfig()
+		require.NoError(t, err)
+		assert.Nil(t, cfg.GetRunAsUser())
+		assert.Nil(t, cfg.GetRunAsGroup())
 	})
 }
 

diff --git a/pkg/injector/service/pod_patch.go b/pkg/injector/service/pod_patch.go
@@ -69,6 +69,8 @@ func (i *injector) getPodPatchOperations(ctx context.Context, ar *admissionv1.Ad
 	sidecar.OperatorAddress = operatorAddress
 	sidecar.SentryAddress = sentryAddress
 	sidecar.RunAsNonRoot = i.config.GetRunAsNonRoot()
+	sidecar.RunAsUser = i.config.GetRunAsUser()
+	sidecar.RunAsGroup = i.config.GetRunAsGroup()
 	sidecar.ReadOnlyRootFilesystem = i.config.GetReadOnlyRootFilesystem()
 	sidecar.EnableK8sDownwardAPIs = i.config.GetEnableK8sDownwardAPIs()
 	sidecar.SidecarDropALLCapabilities = i.config.GetDropCapabilities()