Skip to content
This repository was archived by the owner on Jul 11, 2023. It is now read-only.

Don't allow envoy sidecar privilege escalation #4860

Merged
merged 2 commits into from
Jun 29, 2022
Merged

Don't allow envoy sidecar privilege escalation #4860

merged 2 commits into from
Jun 29, 2022

Conversation

keithmattix
Copy link
Contributor

Signed-off-by: Keith Mattix II keithmattix2@gmail.com

Description:
Fixes #4850

Testing done:
Added unit test for envoy sidecar OS specific components

Affected area:

Functional Area
Security [X]
Sidecar Injection [X]

Please answer the following questions with yes/no.

  1. Does this change contain code from or inspired by another project? no

    • Did you notify the maintainers and provide attribution? N/A

  2. Is this a breaking change? no

  3. Has documentation corresponding to this change been updated in the osm-docs repo (if applicable)? no

@keithmattix
Don't allow envoy sidecar privilege escalation
1a98758 
Signed-off-by: Keith Mattix II <keithmattix2@gmail.com>
@keithmattix keithmattix marked this pull request as ready for review June 29, 2022 20:27
@codecov-commenter
Copy link

Codecov Report

Merging #4860 (1a98758) into main (bb007fd) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##             main    #4860   +/-   ##
=======================================
  Coverage   67.76%   67.76%           
=======================================
  Files         219      219           
  Lines       16051    16052    +1     
=======================================
+ Hits        10877    10878    +1     
  Misses       5121     5121           
  Partials       53       53
Flag Coverage Δ
unittests 67.76% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/injector/envoy_container.go 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bb007fd...1a98758. Read the comment docs.

shalier
shalier reviewed Jun 29, 2022
View reviewed changes
trstringer
trstringer approved these changes Jun 29, 2022
View reviewed changes
Copy link
Contributor

@trstringer trstringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved, but agree with @shalier's requested change.

@keithmattix @shalier
Update pkg/injector/envoy_container_test.go
910a620 
Co-authored-by: Shalier Xia <69616256+shalier@users.noreply.github.com>
Signed-off-by: Keith Mattix II <keithmattix2@gmail.com>
@keithmattix keithmattix force-pushed the set-allowPrivilegeEscalation-to-false branch from bdd2b13 to 910a620 Compare June 29, 2022 21:38
@trstringer trstringer merged commit 80de3bb into openservicemesh:main Jun 29, 2022
@keithmattix keithmattix deleted the set-allowPrivilegeEscalation-to-false branch June 29, 2022 23:14
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@snehachhabria snehachhabria Awaiting requested review from snehachhabria

@nojnhuh nojnhuh Awaiting requested review from nojnhuh

@draychev draychev Awaiting requested review from draychev

@jaellio jaellio Awaiting requested review from jaellio jaellio is a code owner

3 more reviewers

@shalier shalier shalier left review comments

@trstringer trstringer trstringer approved these changes

@shashankram shashankram shashankram approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Disallow privilege escalation on envoy sidecar
5 participants
@keithmattix @codecov-commenter @trstringer @shashankram @shalier