feat: add group ID option (#319)

This adds the option to set the group ID via command line and via annotation

Signed-off-by: Nico Feulner <[email protected]>

cni-plugin/deployment/linkerd-cni.conf.default

@@ -14,6 +14,7 @@
         "incoming-proxy-port": 4143,
         "outgoing-proxy-port": 4140,
         "proxy-uid": 2102,
+        "proxy-gid": 2102,
         "ports-to-redirect": [],
         "inbound-ports-to-ignore": [],
         "outbound-ports-to-ignore": [],

cni-plugin/integration/manifests/calico/linkerd-cni.yaml

@@ -77,6 +77,7 @@ data:
         "incoming-proxy-port": 4143,
         "outgoing-proxy-port": 4140,
         "proxy-uid": 2102,
+        "proxy-gid": 2102,
         "ports-to-redirect": [],
         "inbound-ports-to-ignore": ["4191","4190"],
         "simulate": false,

cni-plugin/integration/manifests/cilium/linkerd-cni.yaml

@@ -77,6 +77,7 @@ data:
         "incoming-proxy-port": 4143,
         "outgoing-proxy-port": 4140,
         "proxy-uid": 2102,
+        "proxy-gid": 2102,
         "ports-to-redirect": [],
         "inbound-ports-to-ignore": ["4191","4190"],
         "simulate": false,

cni-plugin/integration/manifests/flannel/linkerd-cni.yaml

@@ -81,6 +81,7 @@ data:
         "incoming-proxy-port": 4143,
         "outgoing-proxy-port": 4140,
         "proxy-uid": 2102,
+        "proxy-gid": 2102,
         "ports-to-redirect": [],
         "inbound-ports-to-ignore": ["4191","4190"],
         "simulate": false,

cni-plugin/integration/testutil/test_util.go

@@ -46,6 +46,7 @@ type ProxyInit struct {
 	IncomingProxyPort     int      `json:"incoming-proxy-port"`
 	OutgoingProxyPort     int      `json:"outgoing-proxy-port"`
 	ProxyUID              int      `json:"proxy-uid"`
+	ProxyGID              int      `json:"proxy-gid"`
 	PortsToRedirect       []int    `json:"ports-to-redirect"`
 	InboundPortsToIgnore  []string `json:"inbound-ports-to-ignore"`
 	OutboundPortsToIgnore []string `json:"outbound-ports-to-ignore"`
@@ -73,6 +74,7 @@ type LinkerdPlugin struct {
 //	   "incoming-proxy-port": 4143,
 //	   "outgoing-proxy-port": 4140,
 //	   "proxy-uid": 2102,
+//	   "proxy-gid": 2102,
 //	   "ports-to-redirect": [],
 //	   "inbound-ports-to-ignore": ["4191","4190"],
 //	   "simulate": false,
@@ -113,6 +115,11 @@ func checkLinkerdCniConf(plugin map[string]any) error {
 		return fmt.Errorf("proxy-uid has wrong value, expected: %v, found: %v", 2102, proxyUID)
 	}
 
+	proxyGID := proxyInit.ProxyGID
+	if proxyGID != 2102 {
+		return fmt.Errorf("proxy-gid has wrong value, expected: %v, found: %v", 2102, proxyUID)
+	}
+
 	simulate := proxyInit.Simulate
 	if simulate {
 		return fmt.Errorf("simulate has wrong value, expected: %v, found: %v", false, simulate)

cni-plugin/main.go

@@ -46,6 +46,7 @@ type ProxyInit struct {
 	IncomingProxyPort     int      `json:"incoming-proxy-port"`
 	OutgoingProxyPort     int      `json:"outgoing-proxy-port"`
 	ProxyUID              int      `json:"proxy-uid"`
+	ProxyGID              int      `json:"proxy-gid"`
 	PortsToRedirect       []int    `json:"ports-to-redirect"`
 	InboundPortsToIgnore  []string `json:"inbound-ports-to-ignore"`
 	OutboundPortsToIgnore []string `json:"outbound-ports-to-ignore"`
@@ -214,6 +215,7 @@ func cmdAdd(args *skel.CmdArgs) error {
 				IncomingProxyPort:     conf.ProxyInit.IncomingProxyPort,
 				OutgoingProxyPort:     conf.ProxyInit.OutgoingProxyPort,
 				ProxyUserID:           conf.ProxyInit.ProxyUID,
+				ProxyGroupID:          conf.ProxyInit.ProxyGID,
 				PortsToRedirect:       conf.ProxyInit.PortsToRedirect,
 				InboundPortsToIgnore:  conf.ProxyInit.InboundPortsToIgnore,
 				OutboundPortsToIgnore: conf.ProxyInit.OutboundPortsToIgnore,
@@ -279,6 +281,25 @@ func cmdAdd(args *skel.CmdArgs) error {
 				options.ProxyUserID = parsed
 			}
 
+			// Override ProxyGID from annotations.
+			proxyGIDOverride, err := getAnnotationOverride(ctx, client, pod, "config.linkerd.io/proxy-gid")
+			if err != nil {
+				logEntry.Errorf("linkerd-cni: could not retrieve overridden annotations: %s", err)
+				return err
+			}
+
+			if proxyGIDOverride != "" {
+				logEntry.Debugf("linkerd-cni: overriding ProxyGID to %s", proxyGIDOverride)
+
+				parsed, err := strconv.Atoi(proxyGIDOverride)
+				if err != nil {
+					logEntry.Errorf("linkerd-cni: could not parse ProxyGID to integer: %s", err)
+					return err
+				}
+
+				options.ProxyGroupID = parsed
+			}
+
 			if pod.GetLabels()["linkerd.io/control-plane-component"] != "" {
 				// Skip k8s api server ports on the outbound side if pod is a
 				// control plane component

pkg/iptables/iptables.go

@@ -53,6 +53,7 @@ type FirewallConfiguration struct {
 	ProxyInboundPort       int
 	ProxyOutgoingPort      int
 	ProxyUID               int
+	ProxyGID               int
 	SimulateOnly           bool
 	NetNs                  string
 	UseWaitFlag            bool
@@ -184,6 +185,11 @@ func (fc FirewallConfiguration) addOutgoingTrafficRules(existingRules []byte, co
 		commands = append(commands, fc.makeIgnoreUserID(outputChainName, fc.ProxyUID, "ignore-proxy-user-id"))
 	}
 
+	// Ignore traffic from the proxy
+	if fc.ProxyGID > 0 {
+		commands = append(commands, fc.makeIgnoreGroupID(outputChainName, fc.ProxyGID, "ignore-proxy-group-id"))
+	}
+
 	// Ignore loopback
 	commands = append(commands, fc.makeIgnoreLoopback(outputChainName, "ignore-loopback"))
 	// Ignore ports
@@ -331,6 +337,17 @@ func (fc FirewallConfiguration) makeIgnoreUserID(chainName string, uid int, comm
 		"--comment", formatComment(comment))
 }
 
+func (fc FirewallConfiguration) makeIgnoreGroupID(chainName string, gid int, comment string) *exec.Cmd {
+	return exec.Command(fc.BinPath,
+		"-t", "nat",
+		"-A", chainName,
+		"-m", "owner",
+		"--gid-owner", strconv.Itoa(gid),
+		"-j", "RETURN",
+		"-m", "comment",
+		"--comment", formatComment(comment))
+}
+
 func (fc FirewallConfiguration) makeFlushChain(name string) *exec.Cmd {
 	return exec.Command(fc.BinPath,
 		"-t", "nat",

proxy-init/cmd/root.go

@@ -34,6 +34,7 @@ type RootOptions struct {
 	IncomingProxyPort     int
 	OutgoingProxyPort     int
 	ProxyUserID           int
+	ProxyGroupID          int
 	PortsToRedirect       []int
 	InboundPortsToIgnore  []string
 	OutboundPortsToIgnore []string
@@ -55,6 +56,7 @@ func newRootOptions() *RootOptions {
 		IncomingProxyPort:     -1,
 		OutgoingProxyPort:     -1,
 		ProxyUserID:           -1,
+		ProxyGroupID:          -1,
 		PortsToRedirect:       make([]int, 0),
 		InboundPortsToIgnore:  make([]string, 0),
 		OutboundPortsToIgnore: make([]string, 0),
@@ -134,6 +136,7 @@ func NewRootCmd() *cobra.Command {
 	cmd.PersistentFlags().IntVarP(&options.IncomingProxyPort, "incoming-proxy-port", "p", options.IncomingProxyPort, "Port to redirect incoming traffic")
 	cmd.PersistentFlags().IntVarP(&options.OutgoingProxyPort, "outgoing-proxy-port", "o", options.OutgoingProxyPort, "Port to redirect outgoing traffic")
 	cmd.PersistentFlags().IntVarP(&options.ProxyUserID, "proxy-uid", "u", options.ProxyUserID, "User ID that the proxy is running under. Any traffic coming from this user will be ignored to avoid infinite redirection loops.")
+	cmd.PersistentFlags().IntVarP(&options.ProxyGroupID, "proxy-gid", "g", options.ProxyGroupID, "Group ID that the proxy is running under. Any traffic coming from this group will be ignored to avoid infinite redirection loops.")
 	cmd.PersistentFlags().IntSliceVarP(&options.PortsToRedirect, "ports-to-redirect", "r", options.PortsToRedirect, "Port to redirect to proxy, if no port is specified then ALL ports are redirected")
 	cmd.PersistentFlags().StringSliceVar(&options.InboundPortsToIgnore, "inbound-ports-to-ignore", options.InboundPortsToIgnore, "Inbound ports and/or port ranges (inclusive) to ignore and not redirect to proxy. This has higher precedence than any other parameters.")
 	cmd.PersistentFlags().StringSliceVar(&options.OutboundPortsToIgnore, "outbound-ports-to-ignore", options.OutboundPortsToIgnore, "Outbound ports and/or port ranges (inclusive) to ignore and not redirect to proxy. This has higher precedence than any other parameters.")
@@ -195,6 +198,7 @@ func BuildFirewallConfiguration(options *RootOptions) (*iptables.FirewallConfigu
 		ProxyInboundPort:       options.IncomingProxyPort,
 		ProxyOutgoingPort:      options.OutgoingProxyPort,
 		ProxyUID:               options.ProxyUserID,
+		ProxyGID:               options.ProxyGroupID,
 		PortsToRedirectInbound: options.PortsToRedirect,
 		InboundPortsToIgnore:   options.InboundPortsToIgnore,
 		OutboundPortsToIgnore:  options.OutboundPortsToIgnore,

proxy-init/cmd/root_test.go

@@ -12,6 +12,7 @@ func TestBuildFirewallConfiguration(t *testing.T) {
 		expectedIncomingProxyPort := 1234
 		expectedOutgoingProxyPort := 2345
 		expectedProxyUserID := 33
+		expectedProxyGroupID := 33
 		expectedConfig := &iptables.FirewallConfiguration{
 			Mode:                   iptables.RedirectAllMode,
 			PortsToRedirectInbound: make([]int, 0),
@@ -21,6 +22,7 @@ func TestBuildFirewallConfiguration(t *testing.T) {
 			ProxyInboundPort:       expectedIncomingProxyPort,
 			ProxyOutgoingPort:      expectedOutgoingProxyPort,
 			ProxyUID:               expectedProxyUserID,
+			ProxyGID:               expectedProxyGroupID,
 			SimulateOnly:           false,
 			UseWaitFlag:            false,
 			BinPath:                "iptables-legacy",
@@ -32,6 +34,7 @@ func TestBuildFirewallConfiguration(t *testing.T) {
 		options.OutgoingProxyPort = expectedOutgoingProxyPort
 		options.ProxyUserID = expectedProxyUserID
 		options.IPv6 = false
+		options.ProxyGroupID = expectedProxyGroupID
 
 		config, err := BuildFirewallConfiguration(options)
 		if err != nil {

proxy-init/integration/iptables/iptablestest-lab.yaml

@@ -73,7 +73,7 @@ spec:
   - name: iptables-test
     image: test.l5d.io/linkerd/proxy-init:test
     imagePullPolicy: Never
-    args: ["-p", "8080",  "-o", "8080", "-u", "2102"]
+    args: ["-p", "8080",  "-o", "8080", "-u", "2102", "-g", "2102"]
     securityContext:
       allowPrivilegeEscalation: false
       capabilities:
@@ -90,7 +90,7 @@ spec:
   - name: linkerd-init
     image: test.l5d.io/linkerd/proxy-init:test
     imagePullPolicy: Never
-    args: ["-p", "8080",  "-o", "8080", "-u", "2102"]
+    args: ["-p", "8080",  "-o", "8080", "-u", "2102", "-g", "2102"]
     securityContext:
       allowPrivilegeEscalation: false
       capabilities:
@@ -144,7 +144,7 @@ spec:
   - name: linkerd-init
     image: test.l5d.io/linkerd/proxy-init:test
     imagePullPolicy: Never
-    args: ["-p", "8080",  "-o", "8080", "-u", "2102"]
+    args: ["-p", "8080",  "-o", "8080", "-u", "2102", "-g", "2102"]
     securityContext:
       allowPrivilegeEscalation: false
       capabilities:
@@ -201,7 +201,7 @@ spec:
   - name: linkerd-init
     image: test.l5d.io/linkerd/proxy-init:test
     imagePullPolicy: Never
-    args: ["-p", "8080",  "-o", "8080", "-u", "2102", "-r", "9090", "-r", "9099"]
+    args: ["-p", "8080",  "-o", "8080", "-u", "2102", "-g", "2102", "-r", "9090", "-r", "9099"]
     securityContext:
       allowPrivilegeEscalation: false
       capabilities:
@@ -264,7 +264,7 @@ spec:
   - name: linkerd-init
     image: test.l5d.io/linkerd/proxy-init:test
     imagePullPolicy: Never
-    args: ["-p", "8080",  "-o", "8080", "-u", "2102", "--inbound-ports-to-ignore", "6000-8000"]
+    args: ["-p", "8080",  "-o", "8080", "-u", "2102", "-g", "2102", "--inbound-ports-to-ignore", "6000-8000"]
     securityContext:
       allowPrivilegeEscalation: false
       capabilities:
@@ -318,7 +318,7 @@ spec:
   - name: linkerd-init
     image: test.l5d.io/linkerd/proxy-init:test
     imagePullPolicy: Never
-    args: ["-p", "8080",  "-o", "8080", "-u", "2102", "--subnets-to-ignore", "0.0.0.0/0"]
+    args: ["-p", "8080",  "-o", "8080", "-u", "2102", "-g", "2102", "--subnets-to-ignore", "0.0.0.0/0"]
     securityContext:
       allowPrivilegeEscalation: false
       capabilities: