sidecar-injector with SDS enabled breaks pod securityContext #20409
The pod securityContext is patched by the sidecar-injector when sds is enabled.
This will also overwrite pod securityContext fields like runAsUser which results in a POD without the runAsUser pod securityContext field.
This only impacts the pod securityContext spec not the securityContext field in container spec.
[ X] Configuration Infrastructure
When enabling SDS, we expect a Pod with a pod securityContext spec to be scheduled with these pod securityContext applied and with only the FSGroup added/overwritten.
Steps to reproduce the bug
In our case this will result in the following events because we only allow NonRoot users with psp:
If we add the runAsUser in the containers securityContext spec the pods will be scheduled correctly.
In the istio-sidecar-injector log we see the following in the "info AdmissionResponse: patch" message:
With sds disabled we see:
Version (include the output of
istioctl version --remote
How was Istio installed?
istioctl manifest apply --set profile=sds
Environment where bug was observed (cloud vendor, OS, etc)
We're running on GKE, tested with version v1.13.11-gke.14
The Istio webhook is removing all fields from the pod's securityContext (except