-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove deprecated hubble.ui.securityContext.enabled
from hubble-ui
#32338
Conversation
Good catch! Does this need to be backported? If so, do you know which versions are affected? |
@stelucz It looks like 3092ed1 bumped hubble-ui to v0.12.3, which has the commit changing user ID. It was backported to v1.13, v1.14, and v1.15. So, this fix will need to be backported too. @lambdanis, can you confirm? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice catch @stelucz.
@squeed My understanding is the same, I marked it for backports. cc @geakstr you might want to take a look.
@stelucz The CI is complaining about a long commit message title: https://github.com/cilium/cilium/actions/runs/8937892162/job/24552554956?pr=32338 Could you rephrase it so that the title is no longer than 75 characters?
0d658dc
to
d225b24
Compare
@lambdanis commit message fixed :) |
/test |
We hit issue couple months back where hubble-ui was not starting after fresh deployment.
Backend container complained about rights on mounted certificates:
I found issue having similar symptoms #18816. I started digging into changes of
hubble-ui
and chart templates, and I observed following details:hubble.ui.securityContext.enabled
commit and it was removed in 1.13 commit.enabled
parameter was not removed from template in commit.101
and65532
forfrontend
andbackend
images.hubble-ui
backend
container with rights issue mentioned above.What's changed:
Change removes
hubble.ui.securityContext.enabled
fromhubble-ui
deployment template and allows tosecurityContext
part be properly applied from values file. It probably does not exactly resolved root-cause of #18816, but current symptoms are resolved by it. Reviewer, please decide if it is valid to close that issue or not by this change.Possible improvement?
As both containers are in same pod, setting
securityContext
changes user id, group id and fs id to1001
for both containers. But Dockerfiles contain different user/group (101
and65532
) for each container image. Probably this could be aligned to single same user/group?Fixes: #18816