-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Proposal] Using default RunAsUser of the application #126
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the patch! Please let me know if you're interested in addressing the requested changes, otherwise I can take this over and push it forward.
This also needs tests for Init() when AgentConfig.SameID
is true
and false
, when the Security context is and isn't set on a Pod.
SecurityContext: &corev1.SecurityContext{ | ||
RunAsUser: &RunAsUser, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we want every test to be run against a Pod with the SecurityContext set like this. It should be set per-test because this is not going to be set in every Pod on every system.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point!
Control pod Spec Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>
Adjust description Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>
Remove GroupId to 0 in case of SameID Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>
Adjust description Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>
Adjust description Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com>
I would really be happy if you take over and we will review together. |
Continued in #131 |
This proposal allows running the agent sidecar container with the same RunAsUser of the application container, without worry to check which range is allowed to use.
The user range is set on the MustRunAsRange for SecurityContextConstraints or MustRunAs for PodSecurityPolicy (pre-allocated range of UIDs).
RunAsGroup with 0 which is the default of Kubernetes.