Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove runAs from test deployment files #47850

Merged
merged 2 commits into from
Nov 17, 2023
Merged

Remove runAs from test deployment files #47850

merged 2 commits into from
Nov 17, 2023

Conversation

jwendell
Copy link
Member

@jwendell jwendell commented Nov 15, 2023
edited

They're not strictly required and do not play well with OpenShift.

@istio-testing
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@istio-testing istio-testing added do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 15, 2023
@jwendell jwendell added the release-notes-none Indicates a PR that does not require release notes. label Nov 15, 2023
@jwendell jwendell marked this pull request as ready for review November 15, 2023 17:06
@jwendell jwendell requested review from a team as code owners November 15, 2023 17:07
@istio-testing istio-testing removed the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Nov 15, 2023
howardjohn
howardjohn reviewed Nov 15, 2023
View reviewed changes
Copy link
Member

@howardjohn howardjohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A bit worried about this. I think this means it will run as root since that is the image default? And running as root makes the test moot, IIUC, since we have different iptables rules for root vs non-root?

Plausible I am wrong

howardjohn
howardjohn reviewed Nov 15, 2023
View reviewed changes
Copy link
Member

@howardjohn howardjohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A bit worried about this. I think this means it will run as root since that is the image default? And running as root makes the test moot, IIUC, since we have different iptables rules for root vs non-root?

Plausible I am wrong

@bleggett
Copy link
Contributor

bleggett commented Nov 15, 2023
edited

A bit worried about this. I think this means it will run as root since that is the image default?

AFAIK it means processes inside the container will run as root inside the container, since there's no longer anything telling them to run as anything else. OpenShift won't actually run the processes as root on the node, though.

And running as root makes the test moot, IIUC, since we have different iptables rules for root vs non-root?

Plausible I am wrong

I'm not sure what we're testing here? The only things that actually do anything with UID 1338 are

  • pkg/test/echo/docker/Dockerfile.app_sidecar_base_centos
  • pkg/test/echo/docker/Dockerfile.app_sidecar_base
    but we never actually seem to use that user for anything, presumably the runAs stuff was a (rather fragile) way of forcing that user to be used.

Either way adding USER application to both of those dockerfiles would be equivalent to specifying the runAs stuff in the manifest - it will just make all subsequent commands run as the user switched to by USER. That shouldn't affect the tests and probably won't make OShift unhappy, since it shouldn't care if nonroot users are created inside the container or not.

That being said, exactly zero tests failed here which implies it's actually a no-op, so maybe it doesn't matter :D

@howardjohn
Copy link
Member

howardjohn commented Nov 15, 2023 via email

bleggett
bleggett reviewed Nov 15, 2023
View reviewed changes
Copy link
Contributor

@bleggett bleggett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding USER to both dockerfiles that actually create a user with UID 1338 would be equivalent.

But, I actually don't see any tests that rely on the root-vs-nonroot behavior so I don't think it really matters for the tests.

@jwendell
Copy link
Member Author

We'd need to add USER to pkg/test/echo/docker/Dockerfile.app which is the main Dockerfile for the echo app. Let me try.

linsun
linsun reviewed Nov 16, 2023
View reviewed changes
Copy link
Member

@linsun linsun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If adduser works for openshift and all other k8s, can we actually document this somewhere too, with some explanation why openshift requires this?

@bleggett
Copy link
Contributor

bleggett commented Nov 16, 2023
edited

If actually running the test app as the application user doesn't work/causes the tests to fail, then that means @howardjohn was correct and the runAs was a no-op - we don't actually use that created user for any tests.

In that case let's just remove that custom user we create (but never actually use) entirely from all the Dockerfiles, e.g.

  • pkg/test/echo/docker/Dockerfile.app_sidecar_base_centos
  • pkg/test/echo/docker/Dockerfile.app_sidecar_base

as well, those are also likely useless/vestigial.

@jwendell jwendell added the do-not-merge/hold Block automatic merging of a PR. label Nov 16, 2023
@jwendell
Copy link
Member Author

@howardjohn @bleggett Adding USER to the Dockerfile works as before. This is good, right?

@linsun Where specifically do you expect such documentation? These are test files, only used in integration tests.

@bleggett
Copy link
Contributor

bleggett commented Nov 16, 2023
edited

@howardjohn @bleggett Adding USER to the Dockerfile works as before. This is good, right?

Yep! My bad, I saw the previous test failure and didn't realize it was because some of the changes were missing in that particular push, ignore that comment.

bleggett
bleggett approved these changes Nov 16, 2023
View reviewed changes
Copy link
Contributor

@bleggett bleggett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jwendell
Copy link
Member Author

@howardjohn @bleggett Adding USER to the Dockerfile works as before. This is good, right?

Yep! My bad, I saw the previous test failure and didn't realize it was because some of the changes were missing in that particular push, ignore that comment.

Yeah, those failures were related to USER application. It works with USER 1338 though.

@jwendell jwendell removed the do-not-merge/hold Block automatic merging of a PR. label Nov 16, 2023
@jwendell
Copy link
Member Author

/retest

@istio-testing istio-testing merged commit b71a015 into istio:master Nov 17, 2023
28 checks passed
@linsun
Copy link
Member

linsun commented Nov 17, 2023
edited

@howardjohn @bleggett Adding USER to the Dockerfile works as before. This is good, right?

@linsun Where specifically do you expect such documentation? These are test files, only used in integration tests.

Sorry for not replying this earlier, i think you documented well in #47898 - thank you!!

@jwendell jwendell added the cherrypick/release-1.20 Set this label on a PR to auto-merge it to the release-1.20 branch label Nov 21, 2023
@istio-testing
Copy link
Collaborator

In response to a cherrypick label: new pull request created: #47966

@istio-testing istio-testing mentioned this pull request Nov 21, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@linsun linsun linsun left review comments

@howardjohn howardjohn howardjohn approved these changes

@bleggett bleggett bleggett approved these changes

@dhawton dhawton dhawton approved these changes

Assignees
No one assigned
Labels
cherrypick/release-1.20 Set this label on a PR to auto-merge it to the release-1.20 branch release-notes-none Indicates a PR that does not require release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@jwendell @istio-testing @bleggett @howardjohn @linsun @dhawton