[wip] run dnsmasq not as root

Signed-off-by: Martin Schuppert <[email protected]>
stuggi · Oct 22, 2024 · 01932c6 · 01932c6
1 parent 6534d49
commit 01932c6
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 14 deletions.
diff --git a/controllers/network/dnsmasq_controller.go b/controllers/network/dnsmasq_controller.go
@@ -25,6 +25,7 @@ import (
 
 	k8s_errors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/kubernetes"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -375,10 +376,13 @@ func (r *DNSMasqReconciler) reconcileNormal(ctx context.Context, instance *netwo
 			Namespace: instance.Namespace,
 			Labels:    serviceLabels,
 			Selector:  serviceLabels,
-			Port: service.GenericServicePort{
-				Name:     dnsmasq.ServiceName,
-				Port:     dnsmasq.DNSPort,
-				Protocol: corev1.ProtocolUDP,
+			Ports: []corev1.ServicePort{
+				{
+					Name:       dnsmasq.ServiceName,
+					Protocol:   corev1.ProtocolUDP,
+					Port:       dnsmasq.DNSPort,
+					TargetPort: intstr.IntOrString{Type: intstr.Int, IntVal: dnsmasq.DNSTargetPort},
+				},
 			},
 		}),
 		5,

diff --git a/pkg/dnsmasq/const.go b/pkg/dnsmasq/const.go
@@ -21,4 +21,6 @@ const (
 
 	// DNSPort -
 	DNSPort int32 = 53
+	// DNSTargetPort - port used the service is listening on in the pod
+	DNSTargetPort int32 = 5353
 )
diff --git a/pkg/dnsmasq/deployment.go b/pkg/dnsmasq/deployment.go
@@ -45,7 +45,7 @@ func Deployment(
 	annotations map[string]string,
 	cms *corev1.ConfigMapList,
 ) *appsv1.Deployment {
-	runAsUser := int64(0)
+	//runAsUser := int64(0)
 	terminationGracePeriodSeconds := int64(10)
 
 	livenessProbe := &corev1.Probe{
@@ -73,7 +73,7 @@ func Deployment(
 	dnsmasqCmd = append(dnsmasqCmd, "--log-debug")
 	dnsmasqCmd = append(dnsmasqCmd, "--bind-interfaces")
 	dnsmasqCmd = append(dnsmasqCmd, "--listen-address=$(POD_IP)")
-	dnsmasqCmd = append(dnsmasqCmd, "--port "+strconv.Itoa(int(DNSPort)))
+	dnsmasqCmd = append(dnsmasqCmd, "--port "+strconv.Itoa(int(DNSTargetPort)))
 	// log to stdout
 	dnsmasqCmd = append(dnsmasqCmd, "--log-facility=-")
 	// dns
@@ -94,10 +94,10 @@ func Deployment(
 	// https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
 	//
 	livenessProbe.TCPSocket = &corev1.TCPSocketAction{
-		Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(DNSPort)},
+		Port: intstr.IntOrString{Type: intstr.Int, IntVal: DNSTargetPort},
 	}
 	readinessProbe.TCPSocket = &corev1.TCPSocketAction{
-		Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(DNSPort)},
+		Port: intstr.IntOrString{Type: intstr.Int, IntVal: DNSTargetPort},
 	}
 
 	envVars := map[string]env.Setter{}
@@ -128,9 +128,9 @@ func Deployment(
 							Command: command,
 							Args:    initArgs,
 							Image:   instance.Spec.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
-							},
+							//SecurityContext: &corev1.SecurityContext{
+							//	RunAsUser: &runAsUser,
+							//},
 							Env:          env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts: getVolumeMounts(instance.Name, cms),
 						},
@@ -141,9 +141,9 @@ func Deployment(
 							Command: command,
 							Args:    args,
 							Image:   instance.Spec.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
-							},
+							//SecurityContext: &corev1.SecurityContext{
+							//	RunAsUser: &runAsUser,
+							//},
 							Env:            env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts:   getVolumeMounts(instance.Name, cms),
 							ReadinessProbe: readinessProbe,