Remove `runAsUser` from gateway-proxy deployments in OpenShift

Question

Remove `runAsUser` from gateway-proxy deployments in OpenShift

rinormaloku opened this issue a month ago · comments

Rinor Maloku commented a month ago

Gloo Edge Product

Open Source

Gloo Edge Version

1.17.0-rc1

Kubernetes Version

any

Describe the bug

In OpenShift regular pods cannot specify the property runAsUser. This makes it so that gateway-proxy deployments don't come up.

The example below doesn't work as it adds the security context to the pod level security context but the container security context overrides it.

apiVersion: gateway.gloo.solo.io/v1alpha1
kind: GatewayParameters
metadata:
  name: gwparams
  namespace: gloo-system
spec:
  kube:
    deployment:
      replicas: 2
    podTemplate:
      securityContext:
        runAsNonRoot: false
---
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1
metadata:
  name: http
  namespace: gloo-system
  annotations:
    gateway.gloo.solo.io/gateway-parameters-name: "gwparams"
spec:
  gatewayClassName: gloo-gateway
  listeners:
  - protocol: HTTP
    port: 80
    name: http
    allowedRoutes:
      namespaces:
        from: All

Expected Behavior

Have one way to produce a gateway-proxy deployment with the container not having runAsUser in the security context

Steps to reproduce the bug

See above

Additional Environment Detail

No response

Additional Context

No response

Rinor Maloku · Answer 1 · Tue Jun 11 2024 07:24:10 GMT+0800 (China Standard Time)

fyi, going through the code, I found out how to set the securityContext for the gateway proxy:

apiVersion: gateway.gloo.solo.io/v1alpha1
kind: GatewayParameters
metadata:
  name: gwparams
  namespace: gloo-system
spec:
  kube:
    envoyContainer:
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        runAsUser: null         # this doesn't work
        capabilities:
          add:
            - NET_BIND_SERVICE

The usage of Envoy in envoyContainer is confusing and leaks implementation details, why not gatewayProxy?

And setting runAsUser to null doesn't work because of the following conversion https://github.com/solo-io/gloo/blob/main/projects/gateway2/deployer/deployer.go#L370-L371 in which all nils are dropped.

Lawrence G. · Answer 2 · Fri Jun 28 2024 02:43:14 GMT+0800 (China Standard Time)

This should be fixed, can be configured by e.g. helm install values of:

kubeGateway:
  enabled: true
  gatewayParameters:
    glooGateway:
      envoyContainer:
        securityContext:
          runAsUser: null

Resulting GwParams object:

apiVersion: v1
items:
- apiVersion: gateway.gloo.solo.io/v1alpha1
  kind: GatewayParameters
  metadata:
    name: gloo-gateway
    namespace: gloo-system
  spec:
    ...
      envoyContainer:
        ...
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true

Lawrence G. · Answer 3 · Fri Jun 28 2024 04:08:50 GMT+0800 (China Standard Time)

Available in v1.17.0-rc3 and resolved via https://github.com/solo-io/solo-projects/issues/6381

Lawrence G. · Answer 4 · Wed Jul 17 2024 01:26:14 GMT+0800 (China Standard Time)

Note that the provided helm values example does NOT currently work for the enterprise chart due to helm bugs related to 'unsetting' a value via null that is in a subchart.

More context:

The actual functionality of having runAsUser removed from the securityContext works correctly; so for 1.170.0 the default GwParams object can patched after install to get the desired OCP experience.

More refinement to this issue will come as part of https://github.com/solo-io/solo-projects/issues/6323