-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add securityContext with runAsUser: {{.ControllerUID}} to the various cont… #1929
Conversation
…ainers in the install template Signed-off-by: Cody Vandermyn <kodeman@kodemanindustries.com>
Signed-off-by: Cody Vandermyn <kodeman@kodemanindustries.com>
Signed-off-by: Cody Vandermyn <kodeman@kodemanindustries.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@codeman9 Thanks for submitting this! Seems like a nice improvement. A few of the pods fail to start with this change, and I've called them out below. But assuming we can resolve those, then this should be good to go.
I'd also like to make the user ID for controller components configurable via a command line flag, and default it to 2103, for no other reason than I like that it comes sequentially after the proxy user ID of 2102. Something like this:
diff --git a/cli/cmd/install.go b/cli/cmd/install.go
index 89854847..356f611e 100644
--- a/cli/cmd/install.go
+++ b/cli/cmd/install.go
@@ -59,6 +59,7 @@ type installConfig struct {
EnableHA bool
ProfileSuffixes string
EnableH2Upgrade bool
+ ControllerUID int64
}
type installOptions struct {
@@ -68,6 +69,7 @@ type installOptions struct {
singleNamespace bool
highAvailability bool
disableH2Upgrade bool
+ controllerUID int64
*proxyConfigOptions
}
@@ -85,6 +87,7 @@ func newInstallOptions() *installOptions {
singleNamespace: false,
highAvailability: false,
disableH2Upgrade: false,
+ controllerUID: 2103,
proxyConfigOptions: newProxyConfigOptions(),
}
}
@@ -113,6 +116,7 @@ func newCmdInstall() *cobra.Command {
cmd.PersistentFlags().BoolVar(&options.singleNamespace, "single-namespace", options.singleNamespace, "Experimental: Configure the control plane to only operate in the installed namespace (default false)")
cmd.PersistentFlags().BoolVar(&options.highAvailability, "ha", options.highAvailability, "Experimental: Enable HA deployment config for the control plane")
cmd.PersistentFlags().BoolVar(&options.disableH2Upgrade, "disable-h2-upgrade", options.disableH2Upgrade, "Prevents the controller from instructing proxies to perform transparent HTTP/2 ugprading")
+ cmd.PersistentFlags().Int64Var(&options.controllerUID, "controller-uid", options.controllerUID, "Run the control plane components under this user ID")
return cmd
}
@@ -193,6 +197,7 @@ func validateAndBuildConfig(options *installOptions) (*installConfig, error) {
EnableHA: options.highAvailability,
ProfileSuffixes: profileSuffixes,
EnableH2Upgrade: !options.disableH2Upgrade,
+ ControllerUID: options.controllerUID,
}, nil
}
Signed-off-by: Cody Vandermyn <kodeman@kodemanindustries.com>
# Conflicts: # cli/cmd/install.go
Signed-off-by: Cody Vandermyn <kodeman@kodemanindustries.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@codeman9 Thanks for making those updates! This all looks sane, but I noticed a separate issue with the linkerd-proxy init container that's injected into the installation yaml -- see my comment below.
Signed-off-by: Cody Vandermyn <kodeman@kodemanindustries.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@codeman9 This looks great! Thanks for making those updates. I had just one additional comment below, but otherwise it should be good to go.
I also realized that I never answered this questions from a previous comment:
Would you also suggest adding in the ability to change and a default for the "web" containers that is different or just keep that the same as the
controllerUID
?
It's fine by me to use the same UID flag for all controller components, including "web", as you currently have it setup.
Signed-off-by: Cody Vandermyn <cody.vandermyn@nordstrom.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⭐️ Great, thanks for making those updates! This looks good to me.
…ainers in the install template
Signed-off-by: Cody Vandermyn kodeman@kodemanindustries.com