Remove `runAsUser` from gateway-proxy deployments in OpenShift
rinormaloku opened this issue · comments
Gloo Edge Product
Open Source
Gloo Edge Version
1.17.0-rc1
Kubernetes Version
any
Describe the bug
In OpenShift regular pods cannot specify the property runAsUser
. This makes it so that gateway-proxy deployments don't come up.
The example below doesn't work as it adds the security context to the pod level security context but the container security context overrides it.
apiVersion: gateway.gloo.solo.io/v1alpha1
kind: GatewayParameters
metadata:
name: gwparams
namespace: gloo-system
spec:
kube:
deployment:
replicas: 2
podTemplate:
securityContext:
runAsNonRoot: false
---
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1
metadata:
name: http
namespace: gloo-system
annotations:
gateway.gloo.solo.io/gateway-parameters-name: "gwparams"
spec:
gatewayClassName: gloo-gateway
listeners:
- protocol: HTTP
port: 80
name: http
allowedRoutes:
namespaces:
from: All
Expected Behavior
Have one way to produce a gateway-proxy deployment with the container not having runAsUser
in the security context
Steps to reproduce the bug
See above
Additional Environment Detail
No response
Additional Context
No response
fyi, going through the code, I found out how to set the securityContext for the gateway proxy:
apiVersion: gateway.gloo.solo.io/v1alpha1
kind: GatewayParameters
metadata:
name: gwparams
namespace: gloo-system
spec:
kube:
envoyContainer:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: null # this doesn't work
capabilities:
add:
- NET_BIND_SERVICE
The usage of Envoy in envoyContainer
is confusing and leaks implementation details, why not gatewayProxy
?
And setting runAsUser
to null doesn't work because of the following conversion https://github.com/solo-io/gloo/blob/main/projects/gateway2/deployer/deployer.go#L370-L371 in which all nils are dropped.
This should be fixed, can be configured by e.g. helm install values of:
kubeGateway:
enabled: true
gatewayParameters:
glooGateway:
envoyContainer:
securityContext:
runAsUser: null
Resulting GwParams object:
apiVersion: v1
items:
- apiVersion: gateway.gloo.solo.io/v1alpha1
kind: GatewayParameters
metadata:
name: gloo-gateway
namespace: gloo-system
spec:
...
envoyContainer:
...
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
Available in v1.17.0-rc3
and resolved via https://github.com/solo-io/solo-projects/issues/6381
Note that the provided helm values example does NOT currently work for the enterprise chart due to helm bugs related to 'unsetting' a value via null
that is in a subchart.
More context:
The actual functionality of having runAsUser removed from the securityContext works correctly; so for 1.170.0 the default GwParams object can patched after install to get the desired OCP experience.
More refinement to this issue will come as part of https://github.com/solo-io/solo-projects/issues/6323