Also check for allowPrivilegeEscalation

The Ambassador container needs both the NET_BIND_SERVICE capability and also securityContext.allowPrivilegeEscalation to be enabled, so updating the init script to check for both. It checks to make sure it's not disabled (love these double negatives) so that if we're on a non docker runtime it won't get tripped up.
emissary-ingress · Jun 29, 2020 · a20b8a6 · a20b8a6
1 parent 532df70
commit a20b8a6
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/python/entrypoint.sh b/python/entrypoint.sh
@@ -347,8 +347,10 @@ kick_ads() {
         if [ -z "${pids[envoy]}" ]; then
             # Envoy isn't running. Start it.
             # First check to see if this process has the capability to bind to a low port, if so it can run Envoy through a wrapper to grant the same
-            capsh --decode=$(awk '/CapInh/ { print $2}' /proc/$$/status) | grep -q cap_net_bind_service
-            if [ $? -eq 0 ]; then
+            # To bind to the low port it can't have privilege escalation revoked, and needs the NET_BIND_SERVICE capability
+            nonewprivs=$(awk '/NoNewPrivs/ { print $2 }' /proc/$$/status)
+            capsh --decode=$(awk '/CapInh/ { print $2 }' /proc/$$/status) | grep -q cap_net_bind_service
+            if [ $? -eq 0 -a "X$nonewprivs" != "X1" ]; then
               log "cap_net_bind_service is supported, launching Envoy through a wrapper"
               launch "envoy-wrapper" wrapper "${envoy_flags[@]}"
             else