-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict the amount of work being done in a privileged container in the reversed vpn client. #6352
Restrict the amount of work being done in a privileged container in the reversed vpn client. #6352
Conversation
/cc @DockToFuture @marwinski @ialidzhikov |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@marwinski can you also review this PR as it is related to #6346?
476950a
to
fa092d7
Compare
fa092d7
to
284a715
Compare
/lgtm |
@ScheererJ can you rebase after #6349 is merged? |
@ialidzhikov I sure can even though I do not quite understand why it would be required (as the changes are in unrelated files). |
How I am supposed to test locally this PR as it relies on new env vars like |
@ialidzhikov The end-to-end test will likely fail as the init container will not stop with the old image version. You can test it locally be referencing the new vpn2 release instead of the existing one. |
284a715
to
a5c46a6
Compare
@ialidzhikov Rebased as requested. |
a5c46a6
to
89a6891
Compare
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't able to test this from from the /dev/net/tun
point of view this will work. The way the init container is implemented looks a bit like a hack due to the environment variable control. Maybe a separate script would have been more appropriate but this is minor.
@marwinski: adding LGTM is restricted to approvers and reviewers in OWNERS files. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
89a6891
to
be7d7ce
Compare
…he reversed vpn client. It is not necessary for the vpn-seed-server to run as privileged container. The tun device required for vpn operation can be mounted into the container namespace. The remaining work requiring privileged work can be moved into an init container. In case the container should run as non-root user in the future, it might help to create a separate tun device in a privileged init container as described in https://community.openvpn.net/openvpn/wiki/UnprivilegedUser#TUNTAPDevice .
be7d7ce
to
6d083de
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/unhold
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: DockToFuture, ialidzhikov, marwinski The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
How to categorize this PR?
/area networking
/kind cleanup
What this PR does / why we need it:
Restrict the amount of work being done in a privileged container in the reversed vpn client.
It is not necessary for the vpn-seed-server to run as privileged container. The tun
device required for vpn operation can be mounted into the container namespace. The
remaining work requiring privileged work can be moved into an init container.
In case the container should run as non-root user in the future, it might help to
create a separate tun device in a privileged init container as described in
https://community.openvpn.net/openvpn/wiki/UnprivilegedUser#TUNTAPDevice .
Which issue(s) this PR fixes:
Partially addresses gardener-attic/vpn#41.
Special notes for your reviewer:
Release note: