Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs/envoy-authorization: update to transport APIv3, Envoy 1.17 #3102

Merged
merged 1 commit into from
Jan 26, 2021
Merged

docs/envoy-authorization: update to transport APIv3, Envoy 1.17 #3102

merged 1 commit into from
Jan 26, 2021

Conversation

srenatus
Copy link
Contributor

Recent versions of envoy's docker container have changed the way
dropping privileges works:

  • it happens by default
  • it's not driven by securityContext.runAsUser

So in the docker container's entrypoint, the environment will be
set up: /dev/std{err,out} will be chowned to an unprivileged user,
which will have uid ENVOY_UID. Hence we set that env variable to
match the UID we us with iptables in open-policy-agent/proxy_init.

Fixes #3101 and the issue described in #3091.

@srenatus
docs/envoy-authorization: update to transport APIv3, Envoy 1.17
dbb6c26 
Recent versions of envoy's docker container have changed the way
dropping privileges works:

- it happens by default
- it's not driven by `securityContext.runAsUser`

So in the docker container's entrypoint, the environment will be
set up: /dev/std{err,out} will be chowned to an unprivileged user,
which will have uid ENVOY_UID. Hence we set that env variable to
match the UID we us with iptables in open-policy-agent/proxy_init.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
srenatus
srenatus commented Jan 26, 2021
View reviewed changes
docs/content/envoy-authorization.md
Comment on lines +287 to +289
env:
- name: ENVOY_UID
value: "1111"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've reduced the indentation a bit, so this doesn't stand out as much as it should -- this is the piece that fixes

chown: changing ownership of '/dev/stdout': Operation not permitted                                                                                                       
chown: changing ownership of '/dev/stderr': Operation not permitted

@srenatus
Copy link
Contributor Author

Interestingly, the rego policy used in the tutorial is in the intersection of how v2 and v3 encode their check requests 😄

@srenatus
Copy link
Contributor Author

srenatus commented Jan 26, 2021
edited
Loading

this is the page rendered: https://deploy-preview-3102--openpolicyagent.netlify.app/docs/edge/envoy-authorization/

tsandall
tsandall reviewed Jan 26, 2021
View reviewed changes
Copy link
Member

@tsandall tsandall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tsandall tsandall merged commit 21f5c53 into open-policy-agent:master Jan 26, 2021
@srenatus srenatus deleted the sr/issue-3101/update-envoy-tutorial branch January 26, 2021 19:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsandall tsandall tsandall approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update Envoy external authorization tutorial to use V3 API
2 participants
@srenatus @tsandall