-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove the need of anyuid permission on OpenShift #45394
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but see my concern about adding the kubeclient to the webhook. I'll defer that to the networking maintainers. This would definitely help users of OpenShift so I'm in favor.
manifests/charts/istio-control/istio-discovery/templates/deployment.yaml
Show resolved
Hide resolved
I am a bit worried these changes may have some subtle negative impact on non-openshift users. This is a bit vague since I don't have any concrete criticisms, more of the unknown-unknown of the template changes |
Does openshift block the UIDs at Deployment level or only Pod level? |
The general idea is to remove hardcoded values in If we change the |
Replicaset level. |
The issue is if users are currently running the images without explicitly setting runas, they are now changed from To be fair - its a good end result, we don't want users running as root. But I am a bit worried about the breakage. Does openshift even need it? Can we just keep 1337 hardcoded as-is, and then override with the max UID range on openshift as added in this PR? |
- Remove the hard-coded usages of `runAsUser` and `runAsGroup` in charts - Where necessary, replace them with a helm field `.ProxyUID` and `.ProxyGID`. - When running in OpenShift, these fields will be set at runtime based on annotations present on the pod's namespace. - When not on OpenShift (strictly speaking, when such annotations are not present), these values fallback to the current, defauls value of 1337. With this change we can remove the extra steps related to `anyuid` in the [OpenShift setup page](https://istio.io/v1.17/docs/setup/platform-setup/openshift/).
de1c529
to
624864d
Compare
I reverted the |
@@ -53,10 +53,11 @@ spec: | |||
spec: | |||
{{- if not $gateway.runAsRoot }} | |||
securityContext: | |||
{{- if not (eq .Values.global.platform "openshift") }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Its slightly awkward/inconsistent that we have an "openshift" profile and an "openshift" platform, and some values are controlled by one vs the other.
But I think ok since otherwise we would need to add some more values here
@jwendell you have a do-not-merge, LGTM to merge when you are ready |
@jwendell : I am trying to run integration tests locally on my mac, and starts getting the below error today. This used to work before. Do you think it is related?
|
ignore, things are working fine when I use latest test image. |
These instructions are no longer needed after these changes istio/istio#45394
* Remove anyuid instructions for OpenShift These instructions are no longer needed after these changes istio/istio#45394 * Removed blank line that caused failure
…e lines it attempts to remove have been removed as part of istio/istio#45394. Signed-off-by: Daniel Grimm <dgrimm@redhat.com>
This patch is not needed anymore as we removed support for v1.20 - the lines it attempts to remove have been removed as part of istio/istio#45394. Signed-off-by: Daniel Grimm <dgrimm@redhat.com>
This patch is not needed anymore as we removed support for v1.20 - the lines it attempts to remove have been removed as part of istio/istio#45394. Signed-off-by: Daniel Grimm <dgrimm@redhat.com>
- Remove the hard-coded usages of `runAsUser` and `runAsGroup` in charts - Where necessary, replace them with a helm field `.ProxyUID` and `.ProxyGID`. - When running in OpenShift, these fields will be set at runtime based on annotations present on the pod's namespace. - When not on OpenShift (strictly speaking, when such annotations are not present), these values fallback to the current, defauls value of 1337. With this change we can remove the extra steps related to `anyuid` in the [OpenShift setup page](https://istio.io/v1.17/docs/setup/platform-setup/openshift/).
…f-anyuid-openshift Remove the need of anyuid permission on OpenShift (istio#45394)
runAsUser
andrunAsGroup
in charts.ProxyUID
and.ProxyGID
.With this change we can remove the extra steps related to
anyuid
in the OpenShift setup page.