New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1904538: Dockerfile.ocp: specify numeric uid #36
Conversation
@s-urbaniak: This pull request references Bugzilla bug 1904538, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/hold
One question feel free to remove hold, just curious
@@ -17,6 +17,6 @@ LABEL io.k8s.display-name="kube-rbac-proxy" \ | |||
ARG FROM_DIRECTORY=/go/src/github.com/brancz/kube-rbac-proxy | |||
COPY --from=builder ${FROM_DIRECTORY}/_output/kube-rbac-proxy /usr/bin/kube-rbac-proxy | |||
|
|||
USER nobody | |||
USER 65534 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So we just want this to be nobody but numericly?
In CMO we use another user UID, hence the question.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
correct, we still want this to be nobody, but numeric. the whole problem is that if we use the literal string "nobody"
non-numerically, along with the nonroot
security context constraint, the provisioning will fail with the following error:
container has runAsNonRoot and image has non-numeric user (nobody), cannot verify user is non-root
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and we tried removing the nonroot
security context constraint from CMO alltogether, but that didn't work of the following provisioning error: openshift/cluster-monitoring-operator#1015 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the explanation!!
/hold cancel
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
side note: i am not very happen about the solution to be honest, the question around the mystery why cluster-monitoring-operator sometimes gets nonroot
assigned vs. restricted
still remains (hypothesis so far is some race in the provisioning controller). Additionally, i do get the necessity for cluster-monitoring-operator needs to have the same security context constraint, but it is not really necessary for the pod runtime as we don't mount things there.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lilic, s-urbaniak The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
test failure seems unrelated, CMO and kube-rbac-proxy started successfully |
/retest |
@s-urbaniak: All pull requests linked via external trackers have merged: Bugzilla bug 1904538 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherry-pick release-4.6 |
@danwinship: new pull request created: #37 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cc @openshift/openshift-team-monitoring