[NET-9932] Always add NET_BIND_SERVICE capability to injected sidecar container #4066
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes proposed in this PR
Consul-dataplane always requires the
NET_BIND_SERVICE
capability (docs). This is explicitly allowed under therestricted-v2
SecurityContextConstraints
(SCC) that ships with OpenShift 4.11+; however, the container needs to request the capability in order for it to be granted. This change does that.How I've tested this PR
Worked w/ @natemollica-nm to verify that this fix allows the application sidecar running the
consul-dataplane
image to spin up successfully under therestricted-v2
SCC where it would have previously logged the following error on startup.Application sidecars should now be fully functional on OpenShift without creating a custom SCC.
The
Pod
containing the injected sidecar should get an annotation from OpenShift indicating that it's using therestricted-v2
SCC.How I expect reviewers to test this PR
See above
Checklist