add securityContext with runAsUser: {{.ControllerUID}} to the various cont… #1929
Conversation
…ainers in the install template Signed-off-by: Cody Vandermyn <kodeman@kodemanindustries.com>
Signed-off-by: Cody Vandermyn <kodeman@kodemanindustries.com>
Signed-off-by: Cody Vandermyn <kodeman@kodemanindustries.com>
There was a problem hiding this comment.
@codeman9 Thanks for submitting this! Seems like a nice improvement. A few of the pods fail to start with this change, and I've called them out below. But assuming we can resolve those, then this should be good to go.
I'd also like to make the user ID for controller components configurable via a command line flag, and default it to 2103, for no other reason than I like that it comes sequentially after the proxy user ID of 2102. Something like this:
diff --git a/cli/cmd/install.go b/cli/cmd/install.go
index 89854847..356f611e 100644
--- a/cli/cmd/install.go
+++ b/cli/cmd/install.go
@@ -59,6 +59,7 @@ type installConfig struct {
EnableHA bool
ProfileSuffixes string
EnableH2Upgrade bool
+ ControllerUID int64
}
type installOptions struct {
@@ -68,6 +69,7 @@ type installOptions struct {
singleNamespace bool
highAvailability bool
disableH2Upgrade bool
+ controllerUID int64
*proxyConfigOptions
}
@@ -85,6 +87,7 @@ func newInstallOptions() *installOptions {
singleNamespace: false,
highAvailability: false,
disableH2Upgrade: false,
+ controllerUID: 2103,
proxyConfigOptions: newProxyConfigOptions(),
}
}
@@ -113,6 +116,7 @@ func newCmdInstall() *cobra.Command {
cmd.PersistentFlags().BoolVar(&options.singleNamespace, "single-namespace", options.singleNamespace, "Experimental: Configure the control plane to only operate in the installed namespace (default false)")
cmd.PersistentFlags().BoolVar(&options.highAvailability, "ha", options.highAvailability, "Experimental: Enable HA deployment config for the control plane")
cmd.PersistentFlags().BoolVar(&options.disableH2Upgrade, "disable-h2-upgrade", options.disableH2Upgrade, "Prevents the controller from instructing proxies to perform transparent HTTP/2 ugprading")
+ cmd.PersistentFlags().Int64Var(&options.controllerUID, "controller-uid", options.controllerUID, "Run the control plane components under this user ID")
return cmd
}
@@ -193,6 +197,7 @@ func validateAndBuildConfig(options *installOptions) (*installConfig, error) {
EnableHA: options.highAvailability,
ProfileSuffixes: profileSuffixes,
EnableH2Upgrade: !options.disableH2Upgrade,
+ ControllerUID: options.controllerUID,
}, nil
}Signed-off-by: Cody Vandermyn <kodeman@kodemanindustries.com>
# Conflicts: # cli/cmd/install.go
codeman9
changed the title
Signed-off-by: Cody Vandermyn <kodeman@kodemanindustries.com>
Signed-off-by: Cody Vandermyn <kodeman@kodemanindustries.com>
There was a problem hiding this comment.
@codeman9 This looks great! Thanks for making those updates. I had just one additional comment below, but otherwise it should be good to go.
I also realized that I never answered this questions from a previous comment:
Would you also suggest adding in the ability to change and a default for the "web" containers that is different or just keep that the same as the
controllerUID?
It's fine by me to use the same UID flag for all controller components, including "web", as you currently have it setup.
Signed-off-by: Cody Vandermyn <cody.vandermyn@nordstrom.com>
…ainers in the install template
Signed-off-by: Cody Vandermyn kodeman@kodemanindustries.com