Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove the need of anyuid permission on OpenShift #45394

Merged
merged 1 commit into from
Aug 25, 2023
Merged

Remove the need of anyuid permission on OpenShift #45394

merged 1 commit into from
Aug 25, 2023

Conversation

jwendell
Copy link
Member

@jwendell jwendell commented Jun 9, 2023

  • Remove the hard-coded usages of runAsUser and runAsGroup in charts
  • Where necessary, replace them with a helm field .ProxyUID and .ProxyGID.
  • When running in OpenShift, these fields will be set at runtime based on annotations present on the pod's namespace.
  • When not on OpenShift (strictly speaking, when such annotations are not present), these values fallback to the current, defauls value of 1337.

With this change we can remove the extra steps related to anyuid in the OpenShift setup page.

@istio-testing istio-testing added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jun 9, 2023
jacob-delgado
jacob-delgado reviewed Jun 9, 2023
View reviewed changes
Copy link
Contributor

@jacob-delgado jacob-delgado left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but see my concern about adding the kubeclient to the webhook. I'll defer that to the networking maintainers. This would definitely help users of OpenShift so I'm in favor.

pkg/kube/inject/openshift.go Show resolved Hide resolved
pkg/kube/inject/webhook.go Outdated Show resolved Hide resolved
howardjohn
howardjohn reviewed Jun 12, 2023
View reviewed changes
go.mod Outdated Show resolved Hide resolved
manifests/charts/istio-control/istio-discovery/templates/deployment.yaml Show resolved Hide resolved
manifests/charts/istio-operator/templates/deployment.yaml Show resolved Hide resolved
pilot/docker/Dockerfile.proxyv2 Outdated Show resolved Hide resolved
pkg/kube/client.go Outdated Show resolved Hide resolved
pkg/kube/inject/inject.go Show resolved Hide resolved
pkg/kube/inject/webhook.go Outdated Show resolved Hide resolved
@howardjohn
Copy link
Member

I am a bit worried these changes may have some subtle negative impact on non-openshift users. This is a bit vague since I don't have any concrete criticisms, more of the unknown-unknown of the template changes

@howardjohn
Copy link
Member

Does openshift block the UIDs at Deployment level or only Pod level?

@jwendell
Copy link
Member Author

I am a bit worried these changes may have some subtle negative impact on non-openshift users. This is a bit vague since I don't have any concrete criticisms, more of the unknown-unknown of the template changes

The general idea is to remove hardcoded values in RunAs fields in the deployments. If this field is absent, Kubernetes will honor the USER value of the container image. OpenShift will automatically assign a value derived from an range defined in a namespace annotation.

If we change the USER field in the base proxy image to be 1337 - which we did in this PR - we can remove the RunAs declarations in some places. Kubernetes will use 1337 and OpenShift will assign a value at runtime.

@jwendell
Copy link
Member Author

Does openshift block the UIDs at Deployment level or only Pod level?

Replicaset level.

@jwendell jwendell added the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Jun 15, 2023
@howardjohn
Copy link
Member

I am a bit worried these changes may have some subtle negative impact on non-openshift users. This is a bit vague since I don't have any concrete criticisms, more of the unknown-unknown of the template changes

The general idea is to remove hardcoded values in RunAs fields in the deployments. If this field is absent, Kubernetes will honor the USER value of the container image. OpenShift will automatically assign a value derived from an range defined in a namespace annotation.

If we change the USER field in the base proxy image to be 1337 - which we did in this PR - we can remove the RunAs declarations in some places. Kubernetes will use 1337 and OpenShift will assign a value at runtime.

The issue is if users are currently running the images without explicitly setting runas, they are now changed from 0 to 1337. See #45394 (comment) - I am 100% certain this will break some of our users.

To be fair - its a good end result, we don't want users running as root. But I am a bit worried about the breakage.

Does openshift even need it? Can we just keep 1337 hardcoded as-is, and then override with the max UID range on openshift as added in this PR?

@taneem-ibrahim taneem-ibrahim mentioned this pull request Jul 13, 2023
Closed
@istio-testing istio-testing added needs-rebase Indicates a PR needs to be rebased before being merged labels Jul 18, 2023
@istio-policy-bot istio-policy-bot added the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label Aug 11, 2023
@jwendell
Remove the need of anyuid permission on OpenShift
624864d 
- Remove the hard-coded usages of `runAsUser` and `runAsGroup` in charts
- Where necessary, replace them with a helm field `.ProxyUID` and
  `.ProxyGID`.
- When running in OpenShift, these fields will be set at runtime based
  on annotations present on the pod's namespace.
- When not on OpenShift (strictly speaking, when such annotations are
  not present), these values fallback to the current, defauls
  value of 1337.

With this change we can remove the extra steps related to `anyuid` in the [OpenShift setup
page](https://istio.io/v1.17/docs/setup/platform-setup/openshift/).
@istio-testing istio-testing removed the needs-rebase Indicates a PR needs to be rebased before being merged label Aug 25, 2023
@istio-policy-bot istio-policy-bot removed lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while labels Aug 25, 2023
@jwendell
Copy link
Member Author

I reverted the + USER 1337:1337 change I had done in proxy dockerfile. Hopefully changes now are safe.

howardjohn
howardjohn approved these changes Aug 25, 2023
View reviewed changes
manifests/charts/gateways/istio-egress/templates/deployment.yaml
@@ -53,10 +53,11 @@ spec:
spec:
{{- if not $gateway.runAsRoot }}
securityContext:
{{- if not (eq .Values.global.platform "openshift") }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its slightly awkward/inconsistent that we have an "openshift" profile and an "openshift" platform, and some values are controlled by one vs the other.

But I think ok since otherwise we would need to add some more values here

@howardjohn
Copy link
Member

@jwendell you have a do-not-merge, LGTM to merge when you are ready

@jwendell jwendell removed the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Aug 25, 2023
@istio-testing istio-testing merged commit ef9d57e into istio:master Aug 25, 2023
16 of 27 checks passed
@kfaseela
Copy link
Member

@jwendell : I am trying to run integration tests locally on my mac, and starts getting the below error today. This used to work before. Do you think it is related?

2023-08-30T08:16:27.591923Z	error	Pod injection failed: failed to run injection template: template: inject:88:9: executing "inject" at <.ProxyUID>: can't evaluate field ProxyUID in type *inject.SidecarTemplateData
2023-08-30T08:16:27.996153Z	info	Sidecar injection request for echo1-5-51122/a-v1-7868db5759-***** (actual name not yet known)
2023-08-30T08:16:27.998146Z	error	Invalid template: template: inject:88:9: executing "inject" at <.ProxyUID>: can't evaluate field ProxyUID in type *inject.SidecarTemplateData

@kfaseela
Copy link
Member

@jwendell : I am trying to run integration tests locally on my mac, and starts getting the below error today. This used to work before. Do you think it is related?

2023-08-30T08:16:27.591923Z	error	Pod injection failed: failed to run injection template: template: inject:88:9: executing "inject" at <.ProxyUID>: can't evaluate field ProxyUID in type *inject.SidecarTemplateData
2023-08-30T08:16:27.996153Z	info	Sidecar injection request for echo1-5-51122/a-v1-7868db5759-***** (actual name not yet known)
2023-08-30T08:16:27.998146Z	error	Invalid template: template: inject:88:9: executing "inject" at <.ProxyUID>: can't evaluate field ProxyUID in type *inject.SidecarTemplateData

ignore, things are working fine when I use latest test image.

rh-tokeefe added a commit to rh-tokeefe/istio.io that referenced this pull request Aug 31, 2023
@rh-tokeefe
Remove anyuid instructions for OpenShift
a591cd8 
These instructions are no longer needed after these changes istio/istio#45394
@rh-tokeefe rh-tokeefe mentioned this pull request Aug 31, 2023
Merged
@jewertow jewertow mentioned this pull request Sep 4, 2023
Closed
istio-testing pushed a commit to istio/istio.io that referenced this pull request Sep 5, 2023
@rh-tokeefe
Remove anyuid instructions for OpenShift (#13795)
c863e9e 
* Remove anyuid instructions for OpenShift

These instructions are no longer needed after these changes istio/istio#45394

* Removed blank line that caused failure
@hemendrateli hemendrateli mentioned this pull request Dec 14, 2023
Closed
2 tasks
dgn added a commit to dgn/sail-operator that referenced this pull request Apr 5, 2024
@dgn
This patch is not needed anymore as we removed support for v1.20 - th…
fae6534 
…e lines it attempts to remove have been removed as part of istio/istio#45394.

Signed-off-by: Daniel Grimm <dgrimm@redhat.com>
dgn added a commit to dgn/sail-operator that referenced this pull request Apr 5, 2024
@dgn
Remove the patch that deleted fixed UIDs from istiod charts
b58b0f8 
This patch is not needed anymore as we removed support for v1.20 - the lines it attempts to remove have been removed as part of istio/istio#45394.

Signed-off-by: Daniel Grimm <dgrimm@redhat.com>
@dgn dgn mentioned this pull request Apr 5, 2024
Merged
istio-testing pushed a commit to istio-ecosystem/sail-operator that referenced this pull request Apr 5, 2024
@dgn
Remove the patch that deleted fixed UIDs from istiod charts (#23)
2424b87 
This patch is not needed anymore as we removed support for v1.20 - the lines it attempts to remove have been removed as part of istio/istio#45394.

Signed-off-by: Daniel Grimm <dgrimm@redhat.com>
@jwendell jwendell mentioned this pull request Jun 4, 2024
Closed
12 tasks
veer051 pushed a commit to veer051/istio that referenced this pull request Jul 5, 2024
@jwendell @jacob-delgado
Remove the need of anyuid permission on OpenShift (istio#45394)
25cbca2 
- Remove the hard-coded usages of `runAsUser` and `runAsGroup` in charts
- Where necessary, replace them with a helm field `.ProxyUID` and
  `.ProxyGID`.
- When running in OpenShift, these fields will be set at runtime based
  on annotations present on the pod's namespace.
- When not on OpenShift (strictly speaking, when such annotations are
  not present), these values fallback to the current, defauls
  value of 1337.

With this change we can remove the extra steps related to `anyuid` in the [OpenShift setup
page](https://istio.io/v1.17/docs/setup/platform-setup/openshift/).
veer051 pushed a commit to veer051/istio that referenced this pull request Jul 5, 2024
@twistio-automation
Merge pull request istio#195 from jacob-delgado/cherry-pick-removal-o…
4843a2f 
…f-anyuid-openshift

Remove the need of anyuid permission on OpenShift (istio#45394)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jacob-delgado jacob-delgado jacob-delgado left review comments

@howardjohn howardjohn howardjohn approved these changes

@costinm costinm Awaiting requested review from costinm

@linsun linsun Awaiting requested review from linsun

@stevenctl stevenctl Awaiting requested review from stevenctl

@ericvn ericvn Awaiting requested review from ericvn

@hzxuzhonghu hzxuzhonghu Awaiting requested review from hzxuzhonghu

Assignees
No one assigned
Labels
size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@jwendell @howardjohn @kfaseela @jacob-delgado @istio-testing @istio-policy-bot