MAISTRA-551 Run sidecar with a dynamically-determined runAsUser ID #27
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jwendell
approved these changes
Jun 28, 2019
| @@ -687,6 +712,19 @@ func (wh *Webhook) inject(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionRespons | |||
| return &reviewResponse | |||
| } | |||
|
|
|||
| func getProxyUID(pod corev1.Pod) (*uint64, error) { | |||
There was a problem hiding this comment.
What about return -1 in cases of errors? That would eliminate the need of dealing with pointers above
There was a problem hiding this comment.
Yeah, that was my first instinct, too... but IMHO a pointer to represent optionality is much better than using magic values. Not sure what the golang position on this is.
| @@ -715,7 +717,8 @@ func intoObject(sidecarTemplate string, meshconfig *meshconfig.MeshConfig, in ru | |||
| podSpec, | |||
| metadata, | |||
| meshconfig.DefaultConfig, | |||
| meshconfig) | |||
| meshconfig, | |||
| DefaultSidecarProxyUID) | |||
| if err != nil { | |||
There was a problem hiding this comment.
Is it safe to use the default value here?
There was a problem hiding this comment.
This preserves the old behavior. The thing is, we can't put the UID into the configmap, because the uid that should be used differs from one namespace to the next.
dgn
pushed a commit
to dgn/istio-maistra
that referenced
this pull request
Jan 28, 2020
Fix istio repo location
dgn
pushed a commit
to dgn/istio-maistra
that referenced
this pull request
Jan 28, 2020
dgn
pushed a commit
to dgn/istio-maistra
that referenced
this pull request
Jan 28, 2020
* Recursive directory watcher * Fix initial timer value * Lint * Add copyright * Review comments * Add the codecov setup from istio repo (maistra#32) * Add the codecov setup from istio repo * Add the codecov setup from istio repo * Extend CODEOWNERS (maistra#37) * Add local codecov check script (maistra#23) * Add local codecov check script * Add codecov diff check script to check coverage drop * Add codecov diff check script to check coverage drop * Update common files. (maistra#39) * Add build infra for proto to Go structs (maistra#34) * Add build infra for proto to Go structs * Add deepcopy for gogo types used in IstioControlPlane proto * Bypass deepcopy for DynamicAny, not used * WIP * Disable deepcopy until clean solution can be found * Minor updates * add resources or certmanager. (maistra#45) * Add Environment WG leads to CODEOWNERS (maistra#46) * Refactoring utils (maistra#40) * Refactoring utils * Lint * Copyrights * Minor cleanup * Overview of component package group (maistra#27) * Config and profile samples (maistra#38) * Config and profile samples * Update profiles and sample * Additional fields * Default profile comes from compiled in * Listen also for create and delete events
bison
pushed a commit
to bison/maistra-istio
that referenced
this pull request
Jul 7, 2020
jwendell
pushed a commit
to jwendell/istio-maistra
that referenced
this pull request
Jul 10, 2020
* update Envoy sha (maistra#25) * update Envoy sha * update sha again * Bump base image (maistra#27) * Update proxy sha Co-authored-by: Yangmin Zhu <ymzhu@google.com> Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.