Allow proxy-init container to run as non-root

[chrischdi]

Linkerd proxy-init container is currently enforced to run as root.

Removes hardcoding runAsNonRoot: false and runAsUser: 0. This way
the container inherits the user ID from the proxy-init image instead which
may allow to run as non-root.

Validation should happen during the usual tests.

Fixes #5505

Signed-off-by: Schlotter, Christian christian.schlotter@daimler.com

---

Requires linkerd/linkerd2-proxy-init#49 for having the correct capabilities set for the iptables binaries.

It would be also possible to keep the option for users to run as root by adding something like:

  {{- if .Values.proxyInit.runAsRoot }}
  runAsNonRoot: false
  runAsUser: 0
  {{- end }}

Christian Schlotter christian.schlotter@daimler.com, Daimler AG on behalf of Daimler TSS GmbH

Provider Information

[alpeb]

According to k8s reference docs, the default for runAsNonRoot is already false. So I think we should have here runAsNonRoot: true instead, for the Kubelet to check that the container is not triggered under user 0.

[chrischdi]

I re-added runAsNonRoot and set it to true. This will enforce the proxy-init container that it needs to run as non-root.

This then will require the changes from linkerd/linkerd2-proxy-init#49 .

Indicates that the container must run as a non-root user. If true, the
Kubelet will validate the image at runtime to ensure that it does not run
as UID 0 (root) and fail to start the container if it does. If unset or
false, no such validation will be performed. May also be set in
PodSecurityContext. If set in both SecurityContext and PodSecurityContext,
the value specified in SecurityContext takes precedence.
(from kubectl explain pod.spec.initContainers.securityContext.runAsNonRoot

[chrischdi]

As mentioned I re-added runAsNonRoot and set it to true. This will enforce the proxy-init container that it needs to run as non-root.

I also adjusted the tests to match the new chart.

[alpeb]

Thanks @chrischdi, we'll wait for linkerd/linkerd2-proxy-init#49 to get one more review to get it merged, then I'll create a new release v1.5.0. Then you can update this current PR to pick up that new proxy-init version 👍

[chrischdi]

As mentioned in linkerd/linkerd2-proxy-init#49 (comment) :

We may have to switch to the following because of the configurable proxyInit.closeWaitTimeoutSecs which would require root permissions due to the execution of sysctl.

{{- if .Values.proxyInit.closeWaitTimeoutSecs }}
privileged: true
runAsNonRoot: false
runAsUser: 0
{{- else }}
privileged: false
runAsNonRoot: true
{{- end }}

[chrischdi]

requires rebase after #7203 was done :-)

[chrischdi]

Rebased changes to main branch because #7203 got merged :-)

[chrischdi]

As mentioned in linkerd/linkerd2-proxy-init#49 (comment) :

We may have to switch to the following because of the configurable proxyInit.closeWaitTimeoutSecs which would require root permissions due to the execution of sysctl.

{{- if .Values.proxyInit.closeWaitTimeoutSecs }}
privileged: true
runAsNonRoot: false
runAsUser: 0
{{- else }}
privileged: false
runAsNonRoot: true
{{- end }}

Still requires this change, I'll update the PR

[alpeb]

Looking good. So the idea is to have proxy-init run as non-root, unless closeWaitTimeoutSecs is used. Any objections to that @mateiidavid ?
Also could you please take care of the DCO?

[chrischdi]

Looking good. So the idea is to have proxy-init run as non-root, unless closeWaitTimeoutSecs is used. Any objections to that @mateiidavid ? Also could you please take care of the DCO?

Thanks for the review.

Looks like I missed the zero and signing the commits again :-) should be ok now 👍

[alpeb]

Thanks @chrischdi !

[mateiidavid]

Looking good. So the idea is to have proxy-init run as non-root, unless closeWaitTimeoutSecs is used. Any objections to that @mateiidavid ?
Also could you please take care of the DCO?

Not at all! Think everything looks great.

[mateiidavid]

I think you might have to do yet another rebase, sorry about that. We bumped up proxy-init to v1.5.1, the base image was modified. Ready to 🚢 from my side after that.

[chrischdi]

I think you might have to do yet another rebase, sorry about that. We bumped up proxy-init to v1.5.1, the base image was modified. Ready to ship from my side after that.

No worries :-) done, I squashed the commits again, I hope that's okay (the second and third only have been fixups).

[part-time-githubber]

@alpeb So how do we track down which stable release this is is going to make into, and when?

[kleimkuhler]

Additive changes like this typically make it into the next stable release which will 2.12 and likely sometime early 2022.

If there is a stable 2.11.2 we could maybe consider bringing this in especially if 2.12 is still far enough out, but it's not very likely. We'll also want to make sure a change like this has a few edge releases to be tested out in before including it in a stable release.

[part-time-githubber]

@kleimkuhler many thanks for the prompt response on this!