Commits on Apr 25, 2024

1. envoy: update to latest version …

   This commit updates Envoy (Cilium Proxy) to the latest version from
   (`ciilum/proxy` - `main`) that includes support to keep the capability
   `NET_BIND_SERVICE`.
   
   Relates to: cilium/proxy#650
   
   Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>

   

   mhofstetter committed Apr 25, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for a317b0c
   • Browse repository at this point

   Copy the full SHA

   a317b0c View commit details

   Browse the repository at this point in the history

2. envoy: add support to bind to privileged ports …

   Currently, the Envoy process of the Cilium Proxy doesn't have the
   capabilities to bind to privileged ports. Even if the respective capabilities
   would be configured in the Pods SecurityContext, the `cilium-envoy-starter` would
   drop all capabilities before starting the Envoy process.
   
   This commit adds support for binding to privileged ports by introducing a new Helm
   value `envoy.securityContext.capabilities.keepCapNetBindService` (`bool` - defaults to `false`).
   
   If set to `true`, the `cilium-envoy-starter` keeps the capability `NET_BIND_SERVICE` when starting
   the Envoy process. This way, it's possible to bind to privileged ports.
   
   Note: It's still required to add the capability `NET_BIND_SERVICE` to the respective container
   
   * daemonset mode: `envoy.securityContext.capabilities.envoy`
   * embedded mode: `securityContext.capabilities.ciliumAgent`
   
   Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>

   

   mhofstetter committed Apr 25, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 1db5f40
   • Browse repository at this point

   Copy the full SHA

   1db5f40 View commit details

   Browse the repository at this point in the history