Run istio-init with non-root UID

Makefile.core.mk

@@ -22,7 +22,7 @@ SHELL := /bin/bash -o pipefail
 VERSION ?= 1.6-dev
 
 # Base version of Istio image to use
-BASE_VERSION ?= 1.6-dev.0
+BASE_VERSION ?= 1.6-dev.1
 
 export GO111MODULE ?= on
 export GOPROXY ?= https://proxy.golang.org

docker/Dockerfile.base

@@ -17,6 +17,7 @@ RUN apt-get update && \
       iproute2 \
       iputils-ping \
       knot-dnsutils \
+      libcap2-bin \
       netcat \
       tcpdump \
       net-tools \

install/kubernetes/helm/istio/files/injection-template.yaml

@@ -50,7 +50,6 @@ initContainers:
 {{- end }}
   securityContext:
     allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
-    privileged: {{ .Values.global.proxy.privileged }}
     capabilities:
   {{- if not .Values.istio_cni.enabled }}
       add:
@@ -59,16 +58,11 @@ initContainers:
   {{- end }}
       drop:
       - ALL
+    privileged: {{ .Values.global.proxy.privileged }}
     readOnlyRootFilesystem: false
-  {{- if not .Values.istio_cni.enabled }}
-    runAsGroup: 0
-    runAsNonRoot: false
-    runAsUser: 0
-  {{- else }}
     runAsGroup: 1337
-    runAsUser: 1337
     runAsNonRoot: true
-  {{- end }}
+    runAsUser: 1337
   restartPolicy: Always
 {{  end -}}
 {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}

istioctl/cmd/testdata/uninject/cronjob-with-app.yaml.injected

@@ -125,9 +125,9 @@ spec:
                 - ALL
               privileged: false
               readOnlyRootFilesystem: false
-              runAsGroup: 0
-              runAsNonRoot: false
-              runAsUser: 0
+              runAsGroup: 1337
+              runAsNonRoot: true
+              runAsUser: 1337
           restartPolicy: OnFailure
           volumes:
           - emptyDir:

istioctl/cmd/testdata/uninject/cronjob.yaml.injected

@@ -153,9 +153,9 @@ spec:
                 - ALL
               privileged: false
               readOnlyRootFilesystem: false
-              runAsGroup: 0
-              runAsNonRoot: false
-              runAsUser: 0
+              runAsGroup: 1337
+              runAsNonRoot: true
+              runAsUser: 1337
           restartPolicy: OnFailure
           volumes:
           - emptyDir:

istioctl/cmd/testdata/uninject/daemonset.yaml.injected

@@ -158,9 +158,9 @@ spec:
             - ALL
           privileged: false
           readOnlyRootFilesystem: false
-          runAsGroup: 0
-          runAsNonRoot: false
-          runAsUser: 0
+          runAsGroup: 1337
+          runAsNonRoot: true
+          runAsUser: 1337
       volumes:
       - emptyDir:
           medium: Memory

istioctl/cmd/testdata/uninject/deploymentconfig-multi.yaml.injected

@@ -177,9 +177,9 @@ items:
               - ALL
             privileged: false
             readOnlyRootFilesystem: false
-            runAsGroup: 0
-            runAsNonRoot: false
-            runAsUser: 0
+            runAsGroup: 1337
+            runAsNonRoot: true
+            runAsUser: 1337
         volumes:
         - emptyDir:
             medium: Memory

istioctl/cmd/testdata/uninject/deploymentconfig.yaml.injected

@@ -162,9 +162,9 @@ spec:
             - ALL
           privileged: false
           readOnlyRootFilesystem: false
-          runAsGroup: 0
-          runAsNonRoot: false
-          runAsUser: 0
+          runAsGroup: 1337
+          runAsNonRoot: true
+          runAsUser: 1337
       volumes:
       - emptyDir:
           medium: Memory

istioctl/cmd/testdata/uninject/enable-core-dump.yaml.injected

@@ -163,9 +163,9 @@ spec:
             - ALL
           privileged: false
           readOnlyRootFilesystem: false
-          runAsGroup: 0
-          runAsNonRoot: false
-          runAsUser: 0
+          runAsGroup: 1337
+          runAsNonRoot: true
+          runAsUser: 1337
       - args:
         - -c
         - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited

istioctl/cmd/testdata/uninject/job.yaml.injected

@@ -151,9 +151,9 @@ spec:
             - ALL
           privileged: false
           readOnlyRootFilesystem: false
-          runAsGroup: 0
-          runAsNonRoot: false
-          runAsUser: 0
+          runAsGroup: 1337
+          runAsNonRoot: true
+          runAsUser: 1337
       restartPolicy: Never
       volumes:
       - emptyDir:

istioctl/cmd/testdata/uninject/list.yaml.injected

@@ -172,9 +172,9 @@ items:
               - ALL
             privileged: false
             readOnlyRootFilesystem: false
-            runAsGroup: 0
-            runAsNonRoot: false
-            runAsUser: 0
+            runAsGroup: 1337
+            runAsNonRoot: true
+            runAsUser: 1337
         volumes:
         - name: test
           secret:
@@ -351,13 +351,14 @@ items:
             capabilities:
               add:
               - NET_ADMIN
+              - NET_RAW
               drop:
               - ALL
             privileged: false
             readOnlyRootFilesystem: false
-            runAsGroup: 0
-            runAsNonRoot: false
-            runAsUser: 0
+            runAsGroup: 1337
+            runAsNonRoot: true
+            runAsUser: 1337
         volumes:
         - emptyDir:
             medium: Memory

istioctl/cmd/testdata/uninject/pod.yaml.injected

@@ -151,9 +151,9 @@ spec:
         - ALL
       privileged: false
       readOnlyRootFilesystem: false
-      runAsGroup: 0
-      runAsNonRoot: false
-      runAsUser: 0
+      runAsGroup: 1337
+      runAsNonRoot: true
+      runAsUser: 1337
   volumes:
   - emptyDir:
       medium: Memory

istioctl/cmd/testdata/uninject/replicaset.yaml.injected

@@ -159,9 +159,9 @@ spec:
             - ALL
           privileged: false
           readOnlyRootFilesystem: false
-          runAsGroup: 0
-          runAsNonRoot: false
-          runAsUser: 0
+          runAsGroup: 1337
+          runAsNonRoot: true
+          runAsUser: 1337
       volumes:
       - emptyDir:
           medium: Memory

istioctl/cmd/testdata/uninject/replicationcontroller.yaml.injected

@@ -158,9 +158,9 @@ spec:
             - ALL
           privileged: false
           readOnlyRootFilesystem: false
-          runAsGroup: 0
-          runAsNonRoot: false
-          runAsUser: 0
+          runAsGroup: 1337
+          runAsNonRoot: true
+          runAsUser: 1337
       volumes:
       - emptyDir:
           medium: Memory

istioctl/cmd/testdata/uninject/statefulset.yaml.injected

@@ -167,9 +167,9 @@ spec:
             - ALL
           privileged: false
           readOnlyRootFilesystem: false
-          runAsGroup: 0
-          runAsNonRoot: false
-          runAsUser: 0
+          runAsGroup: 1337
+          runAsNonRoot: true
+          runAsUser: 1337
       volumes:
       - hostPath:
           path: /mnt/disks/ssd0

manifests/istio-control/istio-autoinject/files/injection-template.yaml

@@ -51,7 +51,6 @@ template: |
   {{- end }}
     securityContext:
       allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
-      privileged: {{ .Values.global.proxy.privileged }}
       capabilities:
     {{- if not .Values.istio_cni.enabled }}
         add:
@@ -60,16 +59,11 @@ template: |
     {{- end }}
         drop:
         - ALL
+      privileged: {{ .Values.global.proxy.privileged }}
       readOnlyRootFilesystem: false
-    {{- if not .Values.istio_cni.enabled }}
-      runAsGroup: 0
-      runAsNonRoot: false
-      runAsUser: 0
-    {{- else }}
       runAsGroup: 1337
-      runAsUser: 1337
       runAsNonRoot: true
-    {{- end }}
+      runAsUser: 1337
     restartPolicy: Always
   {{ end -}}
   {{- if eq .Values.global.proxy.enableCoreDump true }}

manifests/istio-control/istio-discovery/files/injection-template.yaml

@@ -56,7 +56,6 @@ template: |
   {{- end }}
     securityContext:
       allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
-      privileged: {{ .Values.global.proxy.privileged }}
       capabilities:
     {{- if not .Values.istio_cni.enabled }}
         add:
@@ -65,16 +64,11 @@ template: |
     {{- end }}
         drop:
         - ALL
+      privileged: {{ .Values.global.proxy.privileged }}
       readOnlyRootFilesystem: false
-    {{- if not .Values.istio_cni.enabled }}
-      runAsGroup: 0
-      runAsNonRoot: false
-      runAsUser: 0
-    {{- else }}
       runAsGroup: 1337
-      runAsUser: 1337
       runAsNonRoot: true
-    {{- end }}
+      runAsUser: 1337
     restartPolicy: Always
   {{ end -}}
   {{- if eq .Values.global.proxy.enableCoreDump true }}

operator/cmd/mesh/testdata/manifest-generate/output/all_on.golden-show-in-gh-pull-request.yaml

@@ -8873,7 +8873,6 @@ data:
       {{- end }}
         securityContext:
           allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
-          privileged: {{ .Values.global.proxy.privileged }}
           capabilities:
         {{- if not .Values.istio_cni.enabled }}
             add:
@@ -8882,16 +8881,11 @@ data:
         {{- end }}
             drop:
             - ALL
+          privileged: {{ .Values.global.proxy.privileged }}
           readOnlyRootFilesystem: false
-        {{- if not .Values.istio_cni.enabled }}
-          runAsGroup: 0
-          runAsNonRoot: false
-          runAsUser: 0
-        {{- else }}
           runAsGroup: 1337
-          runAsUser: 1337
           runAsNonRoot: true
-        {{- end }}
+          runAsUser: 1337
         restartPolicy: Always
       {{ end -}}
       {{- if eq .Values.global.proxy.enableCoreDump true }}
@@ -10787,7 +10781,6 @@ data:
       {{- end }}
         securityContext:
           allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
-          privileged: {{ .Values.global.proxy.privileged }}
           capabilities:
         {{- if not .Values.istio_cni.enabled }}
             add:
@@ -10796,16 +10789,11 @@ data:
         {{- end }}
             drop:
             - ALL
+          privileged: {{ .Values.global.proxy.privileged }}
           readOnlyRootFilesystem: false
-        {{- if not .Values.istio_cni.enabled }}
-          runAsGroup: 0
-          runAsNonRoot: false
-          runAsUser: 0
-        {{- else }}
           runAsGroup: 1337
-          runAsUser: 1337
           runAsNonRoot: true
-        {{- end }}
+          runAsUser: 1337
         restartPolicy: Always
       {{ end -}}
       {{- if eq .Values.global.proxy.enableCoreDump true }}