Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Proposal] Using default RunAsUser of the application #126

Closed
wants to merge 6 commits into from

Conversation

eye0fra
Copy link
Contributor

@eye0fra eye0fra commented Apr 20, 2020

This proposal allows running the agent sidecar container with the same RunAsUser of the application container, without worry to check which range is allowed to use.
The user range is set on the MustRunAsRange for SecurityContextConstraints or MustRunAs for PodSecurityPolicy (pre-allocated range of UIDs).
RunAsGroup with 0 which is the default of Kubernetes.

Copy link
Member

@tvoran tvoran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the patch! Please let me know if you're interested in addressing the requested changes, otherwise I can take this over and push it forward.

This also needs tests for Init() when AgentConfig.SameID is true and false, when the Security context is and isn't set on a Pod.

agent-inject/agent/annotations.go Show resolved Hide resolved
subcommand/injector/flags.go Outdated Show resolved Hide resolved
agent-inject/agent/annotations.go Outdated Show resolved Hide resolved
subcommand/injector/flags.go Outdated Show resolved Hide resolved
subcommand/injector/command.go Outdated Show resolved Hide resolved
Comment on lines +27 to +29
SecurityContext: &corev1.SecurityContext{
RunAsUser: &RunAsUser,
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we want every test to be run against a Pod with the SecurityContext set like this. It should be set per-test because this is not going to be set in every Pod on every system.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point!

eye0fra and others added 5 commits April 30, 2020 11:27
Control pod Spec

Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>
Adjust description

Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>
Remove GroupId to 0 in case of SameID

Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>
Adjust description

Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>
Adjust description

Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>
@eye0fra
Copy link
Contributor Author

eye0fra commented May 4, 2020

Thanks for the patch! Please let me know if you're interested in addressing the requested changes, otherwise I can take this over and push it forward.

This also needs tests for Init() when AgentConfig.SameID is true and false, when the Security context is and isn't set on a Pod.

I would really be happy if you take over and we will review together.

@tvoran
Copy link
Member

tvoran commented May 5, 2020

Continued in #131

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants