-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove runAs from test deployment files #47850
Conversation
Skipping CI for Draft Pull Request. |
9625525
to
836e112
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A bit worried about this. I think this means it will run as root since that is the image default? And running as root makes the test moot, IIUC, since we have different iptables rules for root vs non-root?
Plausible I am wrong
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A bit worried about this. I think this means it will run as root since that is the image default? And running as root makes the test moot, IIUC, since we have different iptables rules for root vs non-root?
Plausible I am wrong
AFAIK it means processes inside the container will run as root inside the container, since there's no longer anything telling them to run as anything else. OpenShift won't actually run the processes as root on the node, though.
I'm not sure what we're testing here? The only things that actually do anything with UID
Either way adding That being said, exactly zero tests failed here which implies it's actually a no-op, so maybe it doesn't matter :D |
Yeah if we add `USER` to those SGTM
…On Wed, Nov 15, 2023 at 12:54 PM Ben Leggett ***@***.***> wrote:
A bit worried about this. I think this means it will run as root since
that is the image default?
AFAIK it means processes inside the container will run as root inside the
container. OpenShift won't actually run the processes as root on the node,
though.
And running as root makes the test moot, IIUC, since we have different
iptables rules for root vs non-root?
Plausible I am wrong
I'm not sure what we're testing here? The only things that actually do
anything with UID 1338 are
- pkg/test/echo/docker/Dockerfile.app_sidecar_base_centos
- `pkg/test/echo/docker/Dockerfile.app_sidecar_base
but we never actually *use* that user for anything.
Either way adding USER application to both of those dockerfiles would be
equivalent to specifying the runAs stuff in the manifest, and shouldn't
affect the tests and *probably* won't make OShift unhappy.
—
Reply to this email directly, view it on GitHub
<#47850 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXNX5D6D57OFDZJ6BZTYEUT2HAVCNFSM6AAAAAA7LXUE4KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJTGI2DQMBQGI>
.
You are receiving this because your review was requested.Message ID:
***@***.***>
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding USER
to both dockerfiles that actually create a user with UID 1338 would be equivalent.
But, I actually don't see any tests that rely on the root-vs-nonroot behavior so I don't think it really matters for the tests.
We'd need to add |
836e112
to
fc0a61b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If adduser works for openshift and all other k8s, can we actually document this somewhere too, with some explanation why openshift requires this?
If actually running the test app as the In that case let's just remove that custom user we create (but never actually use) entirely from all the Dockerfiles, e.g.
as well, those are also likely useless/vestigial. |
fc0a61b
to
7947293
Compare
@howardjohn @bleggett Adding @linsun Where specifically do you expect such documentation? These are test files, only used in integration tests. |
Yep! My bad, I saw the previous test failure and didn't realize it was because some of the changes were missing in that particular push, ignore that comment. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Yeah, those failures were related to |
/retest |
Sorry for not replying this earlier, i think you documented well in #47898 - thank you!! |
In response to a cherrypick label: new pull request created: #47966 |
They're not strictly required and do not play well with OpenShift.