Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run gardenlet as nonroot user and group 65532 #9669

Merged
merged 2 commits into from
Apr 25, 2024
Merged

Run gardenlet as nonroot user and group 65532 #9669

merged 2 commits into from
Apr 25, 2024

Conversation

AleksandarSavchev
Copy link
Contributor

@AleksandarSavchev AleksandarSavchev commented Apr 25, 2024
edited

How to categorize this PR?

/area security quality
/kind bug enhancement

What this PR does / why we need it:
With #9640 kubelet validates that gardenlet runs with non-root user. This checks requires the uid to be set (ref). This PR sets nonroot user and group 65532 for the kubelet for consistency with the control plane components (ref) and to pass the kubelet validation.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Release note:

The `gardenlet` now runs as `nonroot` user and group `65532`.

@gardener-prow gardener-prow bot added area/security Security related area/quality Output qualification (tests, checks, scans, automation in general, etc.) related kind/bug Bug kind/enhancement Enhancement, improvement, extension cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. labels Apr 25, 2024
@AleksandarSavchev AleksandarSavchev marked this pull request as draft April 25, 2024 12:22
@gardener-prow gardener-prow bot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Apr 25, 2024
rfranzke
rfranzke reviewed Apr 25, 2024
View reviewed changes
Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain why this worked in the e2e tests previously?

@AleksandarSavchev AleksandarSavchev marked this pull request as ready for review April 25, 2024 12:31
@gardener-prow gardener-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 25, 2024
@gardener-prow gardener-prow bot requested a review from timuthy April 25, 2024 12:31
@ialidzhikov
Copy link
Member

Can you explain why this worked in the e2e tests previously?

I assume skaffold does not use the Dockerfile at all (?). Maybe someone more familiar with skaffold can confirm this.

For example skaffold is not using the distroless base images we define in Dockerfile but it is using its own chainguard image. Logs from make gardener-up:

 - europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver: Found Remotely
 - europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager: Found Remotely
 - europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler: Found Remotely
 - europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller: Found Remotely
 - europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-local: Found Remotely
 - europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet: Not found. Building
 - europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager: Found Remotely
 - europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent: Found Remotely
Starting build...
Found [kind-gardener-local] context, using local docker daemon.
Building [europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet]...
Target platforms: [linux/arm64]
Using base cgr.dev/chainguard/static:latest@sha256:dea7cbb98630ecf732c9d840edec0bda5da5c0c7967a25354fb9f3d8c7f87c1a for github.com/gardener/gardener/cmd/gardenlet

Note the

Using base cgr.dev/chainguard/static:latest@sha256:dea7cbb98630ecf732c9d840edec0bda5da5c0c7967a25354fb9f3d8c7f87c1a for github.com/gardener/gardener/cmd/gardenlet

when building the gardenlet image locally.

ialidzhikov
ialidzhikov reviewed Apr 25, 2024
View reviewed changes
Copy link
Member

@ialidzhikov ialidzhikov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Apr 25, 2024
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Apr 25, 2024

LGTM label has been added.

Git tree hash: bde170bfdff086a7435bf5313efc26dd5e01e391

rfranzke
rfranzke reviewed Apr 25, 2024
View reviewed changes
Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ialidzhikov and @AleksandarSavchev
/approve

@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Apr 25, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rfranzke

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 25, 2024
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Apr 25, 2024

@AleksandarSavchev: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-gardener-e2e-kind dbf3604 link unknown /test pull-gardener-e2e-kind
pull-gardener-e2e-kind-ha-multi-zone-upgrade dbf3604 link unknown /test pull-gardener-e2e-kind-ha-multi-zone-upgrade

Full PR test history. Your PR dashboard. Command help for this repository.
Please help us cut down on flakes by linking this test failure to an open flake report or filing a new flake report if you can't find an existing one. Also see our testing guideline for how to avoid and hunt flakes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@gardener-prow gardener-prow bot merged commit 1173274 into gardener:master Apr 25, 2024
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ialidzhikov ialidzhikov ialidzhikov left review comments

@rfranzke rfranzke rfranzke left review comments

@shafeeqes shafeeqes Awaiting requested review from shafeeqes

@timebertt timebertt Awaiting requested review from timebertt

@timuthy timuthy Awaiting requested review from timuthy

Assignees

@ialidzhikov ialidzhikov

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/quality Output qualification (tests, checks, scans, automation in general, etc.) related area/security Security related cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. kind/bug Bug kind/enhancement Enhancement, improvement, extension lgtm Indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@AleksandarSavchev @ialidzhikov @rfranzke