Bug 1904538: Dockerfile.ocp: specify numeric uid #36
Conversation
openshift-ci-robot
added
the
bugzilla/severity-high
|
@s-urbaniak: This pull request references Bugzilla bug 1904538, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
bugzilla/valid-bug
| @@ -17,6 +17,6 @@ LABEL io.k8s.display-name="kube-rbac-proxy" \ | |||
| ARG FROM_DIRECTORY=/go/src/github.com/brancz/kube-rbac-proxy | |||
| COPY --from=builder ${FROM_DIRECTORY}/_output/kube-rbac-proxy /usr/bin/kube-rbac-proxy | |||
|
|
|||
| USER nobody | |||
| USER 65534 | |||
There was a problem hiding this comment.
So we just want this to be nobody but numericly?
In CMO we use another user UID, hence the question.
There was a problem hiding this comment.
correct, we still want this to be nobody, but numeric. the whole problem is that if we use the literal string "nobody" non-numerically, along with the nonroot security context constraint, the provisioning will fail with the following error:
container has runAsNonRoot and image has non-numeric user (nobody), cannot verify user is non-root
There was a problem hiding this comment.
and we tried removing the nonroot security context constraint from CMO alltogether, but that didn't work of the following provisioning error: openshift/cluster-monitoring-operator#1015 (comment)
There was a problem hiding this comment.
Thanks for the explanation!!
/hold cancel
There was a problem hiding this comment.
side note: i am not very happen about the solution to be honest, the question around the mystery why cluster-monitoring-operator sometimes gets nonroot assigned vs. restricted still remains (hypothesis so far is some race in the provisioning controller). Additionally, i do get the necessity for cluster-monitoring-operator needs to have the same security context constraint, but it is not really necessary for the pod runtime as we don't mount things there.
openshift-ci-robot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lilic, s-urbaniak The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
removed
the
do-not-merge/hold
|
test failure seems unrelated, CMO and kube-rbac-proxy started successfully |
|
/retest |
|
@s-urbaniak: All pull requests linked via external trackers have merged: Bugzilla bug 1904538 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherry-pick release-4.6 |
|
@danwinship: new pull request created: #37 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cc @openshift/openshift-team-monitoring