Moving to istio-proxy image (#57)

* Moving to istio-proxy image

* Fix tests

* Adds SPIFFE workload API volume, adds param on privilege escalation

* Add target to build local Docker image

Author: jsnctl

Justfile

@@ -1,3 +1,6 @@
+build tag='local':
+	docker build -t ghcr.io/cofide/spiffe-enable:{{tag}} . 
+
 test *args:
 	go run gotest.tools/gotestsum@latest --format github-actions ./... -short {{args}}
 

internal/proxy/config.go

@@ -8,13 +8,14 @@ import (
 	"text/template"
 
 	"github.com/cofide/spiffe-enable/internal/helper"
+	"github.com/cofide/spiffe-enable/internal/workload"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/utils/ptr"
 )
 
 // Envoy-specific constants
 var (
-	EnvoyImage = "envoyproxy/envoy:v1.33-latest"
+	IstioImage = "docker.io/istio/proxyv2:1.26.4"
 )
 
 const (
@@ -25,7 +26,7 @@ const (
 	EnvoyConfigContentEnvVar     = "ENVOY_CONFIG_CONTENT"
 	EnvoyConfigInitContainerName = "inject-envoy-config"
 	EnvoyPort                    = 10000
-	EnvoyUID                     = 101
+	EnvoyUID                     = 1337
 	DNSProxyPort                 = 15053
 )
 
@@ -241,15 +242,21 @@ func (e *Envoy) GetSidecarContainer() corev1.Container {
 
 	return corev1.Container{
 		Name:            EnvoySidecarContainerName,
-		Image:           EnvoyImage,
+		Image:           IstioImage,
 		ImagePullPolicy: corev1.PullIfNotPresent,
 		Command:         []string{"envoy"},
 		Args:            []string{"-c", configFilePath},
-		VolumeMounts:    []corev1.VolumeMount{{Name: EnvoyConfigVolumeName, MountPath: EnvoyConfigMountPath}},
+		VolumeMounts: []corev1.VolumeMount{
+			{Name: EnvoyConfigVolumeName, MountPath: EnvoyConfigMountPath},
+			workload.GetSPIFFEVolumeMount(),
+		},
 		SecurityContext: &corev1.SecurityContext{
-			RunAsUser:    ptr.To(int64(101)), // # Run as non-root user
-			RunAsGroup:   ptr.To(int64(101)), // # Run as non-root group
-			RunAsNonRoot: ptr.To(true),
+			AllowPrivilegeEscalation: ptr.To(false),
+			RunAsUser:                ptr.To(int64(EnvoyUID)), // # Run as non-root user
+			RunAsGroup:               ptr.To(int64(EnvoyUID)), // # Run as non-root group
+			RunAsNonRoot:             ptr.To(true),
+			Privileged:               ptr.To(false),
+			Capabilities:             &corev1.Capabilities{Drop: []corev1.Capability{"all"}},
 		},
 		Ports: []corev1.ContainerPort{
 			{

internal/webhook/webhook_test.go

@@ -229,10 +229,10 @@ func TestSpiffeEnableWebhook_Handle(t *testing.T) {
 				for _, c := range mutatedPod.Spec.Containers {
 					if c.Name == proxy.EnvoySidecarContainerName {
 						foundProxySidecar = true
-						assert.Equal(t, proxy.EnvoyImage, c.Image)
+						assert.Equal(t, proxy.IstioImage, c.Image)
 						// Check args, mounts, security context, ports for sidecar
 						require.NotNil(t, c.SecurityContext)
-						assert.Equal(t, ptr.To(int64(101)), c.SecurityContext.RunAsUser)
+						assert.Equal(t, ptr.To(int64(1337)), c.SecurityContext.RunAsUser)
 						assert.Equal(t, ptr.To(true), c.SecurityContext.RunAsNonRoot)
 						require.Len(t, c.Ports, 1)
 						assert.Equal(t, int32(proxy.EnvoyPort), c.Ports[0].ContainerPort)