-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use correct calico-node UID when running in non-privileged mode. #2645
Conversation
}, | ||
SecurityContext: securitycontext.NewRootContext(false), | ||
SecurityContext: securitycontext.NewRootContext(true), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this changed to true
(privileged)? If this is for chown permissions, maybe we can try to add the CHOWN
cap first?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see issues when the init container does mkdirAll /var/log/calico/cni
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sridhartigera do you know why this was working before then? Or was it never working? Or is this only needed for BPF mode? Or something about your setup?
pkg/render/node_test.go
Outdated
@@ -896,7 +897,7 @@ var _ = Describe("Node rendering tests", func() { | |||
|
|||
// hostpath init container should have the correct env and security context. | |||
hostPathContainer := rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "hostpath-init") | |||
rtest.ExpectEnv(hostPathContainer.Env, "NODE_USER_ID", "999") | |||
rtest.ExpectEnv(hostPathContainer.Env, "NODE_USER_ID", fmt.Sprintf("%d", securitycontext.GetNonRootUID())) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can use string "10001"
directly here and remove the new GetNonRootUID()
function in security_context.go
.
@@ -76,3 +76,8 @@ func NewNonRootPodContext() *corev1.PodSecurityContext { | |||
}, | |||
} | |||
} | |||
|
|||
// GetNonRootUID returns the non-root UID |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
runAsUserID
is intentionally made private to hide UID/GID from the caller. You can use 10001
directly in your test. We do this in other places as well, for example,
operator/pkg/render/node_test.go
Line 881 in 88d6475
Expect(*nodeContainer.SecurityContext.RunAsUser).To(BeEquivalentTo(10001)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See inline comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with the latest changes. Thanks.
Use correct calico-node UID when running in non-privileged mode.
Use correct calico-node UID when running in non-privileged mode.
Merge pull request #2645 from sridhartigera/host-path-init
Description
When enabling non-privileged mode, the ownership of directories that
calico-node
uses should be changed to UID of calico-node.In non-privileged mode, the UID of calico-node is 10001.
For PR author
make gen-files
make gen-versions
For PR reviewers
A note for code reviewers - all pull requests must have the following:
kind/bug
if this is a bugfix.kind/enhancement
if this is a a new feature.enterprise
if this PR applies to Calico Enterprise only.