Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] OpenShift compatibility broken in env-injector 1.5.0 #581

Closed
erdeiattila opened this issue Aug 14, 2023 · 5 comments · Fixed by #594
Closed

[BUG] OpenShift compatibility broken in env-injector 1.5.0 #581

erdeiattila opened this issue Aug 14, 2023 · 5 comments · Fixed by #594
Labels
bug Something isn't working

Comments

@erdeiattila
Copy link
Contributor

Components and versions
[ ] Controller, version: x.x.x (docker image tag)
[ x ] Env-Injector (webhook), version: 1.5.0 (docker image tag)
[ ] Other

Describe the bug
#548 Introduces a hard-coded default for the injected init-container UIDs and GIDs, and sets the container to run as privileged. In OpenShift, containers run with an arbitrary UID and GID based on a range generated for the namespace they are in.
SecurityContextConstraints by default block running privileged containers or containers with specific UIDs.

To Reproduce
Deploy and use the env-injector in OpenShift 4.11.

Expected behavior
Expected behaviour in OpenShift would be for the init-container to run as a non-privileged container without a specified UID and GID.

Additional context
We could set the webhook_container_security_context_privileged field to false trough the webhook, but we currently have no way to disable specifying a UID and a GUID for the init-container.
A workaround for this issue could be adding the service account running the pod to a securityContextConstraint with elevated privileges, but is that needed for the injection to work?
@erdeiattila erdeiattila added the bug Something isn't working label Aug 14, 2023
@tspearconquest
Copy link
Contributor

What happens if you set the UID and GID to null through the webhook? Does it work then, or do the default values still get applied?

You mention:

SecurityContextConstraints by default block running privileged containers or containers with specific UIDs.

Can the securityContextConstraint default be changed to allow a specific UID/GID value?

@tspearconquest
Copy link
Contributor

I've done a little testing trying to set the UID and GID to null; unfortunately, it appears this sets the values to 0, rather than a yaml null.

tspearconquest pushed a commit to tspearconquest/azure-key-vault-to-kubernetes that referenced this issue Aug 19, 2023
Fix SparebankenVest#581
8c6b708 
Signed-off-by: Thomas Spear <[email protected]>
@tspearconquest tspearconquest mentioned this issue Aug 19, 2023
Closed
@tspearconquest
Copy link
Contributor

I'm not very good with Golang, but I've managed to come up with a patch to provide the old behavior of not setting a UID and GID if the values for those 2 fields result in either (or both) of the UID and GID being set to 0

This is a horribly ugly patch because I really don't know Golang, so if anyone can guide me to clean it up and make it more DRY, please do let me know and I will be happy to make any suggested changes

@erdeiattila erdeiattila mentioned this issue Aug 21, 2023
Merged
@erdeiattila
Copy link
Contributor Author

erdeiattila commented Aug 21, 2023
edited
Loading

@tspearconquest I took another stab at the fix in #594
I agree with you that without this change, users must set a UID and GID.
If you don't insist on setting a default, feel free to incoroprate this into your PR and I can close mine.

@tspearconquest
Copy link
Contributor

tspearconquest commented Aug 21, 2023 via email
edited
Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@erdeiattila @tspearconquest