-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run gardenlet as nonroot
user and group 65532
#9669
Run gardenlet as nonroot
user and group 65532
#9669
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you explain why this worked in the e2e tests previously?
I assume skaffold does not use the Dockerfile at all (?). Maybe someone more familiar with skaffold can confirm this. For example skaffold is not using the distroless base images we define in Dockerfile but it is using its own chainguard image. Logs from
Note the
when building the gardenlet image locally. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
LGTM label has been added. Git tree hash: bde170bfdff086a7435bf5313efc26dd5e01e391
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @ialidzhikov and @AleksandarSavchev
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rfranzke The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@AleksandarSavchev: The following tests failed, say
Full PR test history. Your PR dashboard. Command help for this repository. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
How to categorize this PR?
/area security quality
/kind bug enhancement
What this PR does / why we need it:
With #9640
kubelet
validates thatgardenlet
runs withnon-root
user. This checks requires the uid to be set (ref). This PR setsnonroot
user and group65532
for thekubelet
for consistency with the control plane components (ref) and to pass thekubelet
validation.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Release note: