Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run envoy as non-root #934

Merged
merged 1 commit into from
Oct 14, 2022
Merged

Run envoy as non-root #934

merged 1 commit into from
Oct 14, 2022

Conversation

skonto
Copy link
Contributor

@skonto skonto commented Oct 13, 2022
edited
Loading

Changes

  kubectl create ns kourier-system
  kubectl label --overwrite ns kourier-system\
    pod-security.kubernetes.io/enforce=restricted \
    pod-security.kubernetes.io/warn=restricted \
    pod-security.kubernetes.io/audit=restricted
$ oc get pods -n kourier-system
NAME                                      READY   STATUS    RESTARTS   AGE
3scale-kourier-gateway-85878884dd-4wp6n   1/1     Running   0          16m

@knative-prow knative-prow bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 13, 2022
@knative-prow
Copy link

knative-prow bot commented Oct 13, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: skonto

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 13, 2022
@skonto skonto requested review from nak3 and psschwei October 13, 2022 12:03
@codecov
Copy link

codecov bot commented Oct 13, 2022

Codecov Report

Merging #934 (18bf5db) into main (ef78043) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #934   +/-   ##
=======================================
  Coverage   80.93%   80.93%           
=======================================
  Files          18       18           
  Lines        1243     1243           
=======================================
  Hits         1006     1006           
  Misses        190      190           
  Partials       47       47

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@skonto skonto mentioned this pull request Oct 13, 2022
Merged
@skonto skonto changed the title [wip] Run envoy as non-root Run envoy as non-root Oct 13, 2022
@knative-prow knative-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 13, 2022
@psschwei
Copy link
Contributor

psschwei commented Oct 13, 2022
edited
Loading

Does @nak3 's comment here still apply?

@nak3
Copy link
Contributor

nak3 commented Oct 14, 2022

Yeah, I think runAsUser is not allowed on OCP by default (or some condition).

The doc still mentions about it:
https://docs.openshift.com/container-platform/4.11/authentication/managing-security-context-constraints.html#security-context-constraints-example_configuring-internal-oauth

A container or pod that requests a specific user ID will be accepted by OpenShift Container Platform only when a service account or a user is granted access to a SCC that allows such a user ID. The SCC can allow arbitrary IDs, an ID that falls into a range, or the exact user ID specific to the request.

With said, we (downstream) already tweak runAsNonRoot by a patch, so Stavros is going to patch the change (runAsUser) on downstream? (Or we don't care about it in the newer OCP version?)

@nak3
Copy link
Contributor

nak3 commented Oct 14, 2022

/lgtm
I assume that OCP will be solved somehow.

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Oct 14, 2022
@knative-prow knative-prow bot merged commit 913e85d into knative-extensions:main Oct 14, 2022
@skonto
Copy link
Contributor Author

skonto commented Oct 14, 2022
edited
Loading

@nak3 yeah probably we will patch it, it is not a problem ;) My rationale is keep moving forward with these changes.

@nak3 nak3 mentioned this pull request Dec 19, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nak3 nak3 Awaiting requested review from nak3

@psschwei psschwei Awaiting requested review from psschwei

Assignees

@nak3 nak3

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@skonto @psschwei @nak3