envoy: Drop privileges

[upstream commit 8a59422] Use cilium-envoy image that drops privileges from the Envoy process before it starts. Envoy now needs to be started as `cilium-envoy-starter`, which drops all privileges before executing `cilium-envoy`. If `cilium-envoy` is executed directly with any privileges, it will terminate with the following error message when any Cilium filters are first configured: "[assert failure: get_capabilities(CAP_EFFECTIVE) == 0 && get_capabilities(CAP_PERMITTED) == 0. Details: cilium-envoy running with privileges, exiting" Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io>
cilium · Feb 27, 2024 · 711d50b · 711d50b
1 parent fd3b943
commit 711d50b
Show file tree

Hide file tree

Showing 8 changed files with 58 additions and 83 deletions.
diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst
diff --git a/images/cilium/Dockerfile b/images/cilium/Dockerfile
@@ -6,8 +6,7 @@ ARG CILIUM_RUNTIME_IMAGE=quay.io/cilium/cilium-runtime:dfc656c8318e2b31657c648a1
 
 # cilium-envoy from github.com/cilium/proxy
 #
-FROM quay.io/cilium/cilium-envoy:v1.26.7-39dc41f86c465d2a2d16386339dc0bf4d425babc@sha256:e77adfe8a263fe4b8c56dcb9bd0f4d68bb36067602e7be1388528c02fb8765c5 as cilium-envoy
-
+FROM quay.io/cilium/cilium-envoy:v1.27.3-6c582ff3630b574892d1692c4897fbb1726033d4@sha256:6f389b42be141c4ce69910b9c05133df9c18a78938f5bb062bffcae86fb6bb18 as cilium-envoy
 #
 # Hubble CLI
 #