Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolving ticket #567, set default runAsUser=0 to init proxy container #576

Closed
wants to merge 0 commits into from
Closed

Resolving ticket #567, set default runAsUser=0 to init proxy container #576

wants to merge 0 commits into from

Conversation

EdwardXF
Copy link

Issue #, if available:
When pod has podSecurityContext that define the default runAsUser other than 0, proxyinit initContainers are failing with the following error message

Fatal: can't open lock file /run/xtables.lock: Permission denied

Description of changes:
Added default runAsUser value in proxy.go and loaded it into init proxy container's security context in init_proxy.go. Changed the unit tests accordingly.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@bendu bendu linked an issue Apr 15, 2022 that may be closed by this pull request
Configure runAsUser=0 on injected proxyinit container's security context #567
Open
Y0Username
Y0Username suggested changes Apr 18, 2022
View reviewed changes
pkg/inject/proxy.go Outdated
@@ -8,6 +8,7 @@ import (
)

const (
defaultRunAsUser = 0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does proxy need to run as root?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although this is defined in proxy.go, the proxy config is only used in initProxyMutator and cniProxyMutator, and in cniProxyMutator, this field is not used so runAsUser is not set there.

pkg/inject/init_proxy.go Outdated
@@ -51,6 +51,7 @@ const proxyInitContainerTemplate = `
`

type InitContainerTemplateVariables struct {
RunAsUser int64
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add this value in the securityContext above.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The controller will take the template and convert it to a JSON string, no matter what type declared here will become string when calling json.unmarshal function and in K8s corev1 container runAsUser field does not take String as an input, so I have to add this directly to config instead of using template.

pkg/inject/proxy.go Outdated
Comment on lines 47 to 48
// RunAsUser for init container
runAsUser int64
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the init container config under proxy configs?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure why it is there, but I only find this variable used in initProxyMutator and cniProxyMutator so it should not affect the envoy config.

@EdwardXF EdwardXF closed this Nov 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Y0Username Y0Username Y0Username requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Configure runAsUser=0 on injected proxyinit container's security context
2 participants
@EdwardXF @Y0Username