fix(helm/sidecar-injector-configmap): run as root#10507
fix(helm/sidecar-injector-configmap): run as root#10507jaredallard wants to merge 2 commits intoistio:release-1.1from jaredallard:patch-1
Conversation
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here (e.g. What to do if you already signed the CLAIndividual signers
Corporate signers
|
|
Hi @jaredallard. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
I signed the CLA |
|
CLAs look good, thanks! |
|
This pull request has been automatically marked as stale because it has not had activity in the last 2 weeks. It will be closed in 30 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
Still waiting for a reviewer :( |
|
/ok-to-test |
|
@jaredallard , sorry for late response (just come back from vacation), master is frozen, can you please create this PR against the branch of |
|
/hold need to understand which k8s platform is used |
|
This pull request has been automatically marked as stale because it has not had activity in the last 2 weeks. It will be closed in 30 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
Tested it with stable/mariadb and it works. Please, make it public. People waiting for this workaround, until cni is done. |
|
@Bessonov I'll try to get this rebased onto release-1.1 by this weekend, apologies for the delay everyone. |
|
@gyliu513 based on |
|
@gyliu513 Can we get some movement on this? Need to stop modifying this myself asap! |
|
@mandarjog @gyliu513 c'mon guys, this one is pending since 2 months. It's frustrate a ton of people or at least everyone, who want to use non-root images. Every bitnami image for helm (stable/mariadb, stable/mongodb, stable/redisdb, ...) is a non-root image. It costs me a lot of time to figure out why charts are failing with istio. To hold this PR you produce not only work for you, but for your users and maintainers of non-root images. |
|
/cc greghanson Adding another reviewer, would be nice to get some movement on this. |
|
This pull request has been automatically marked as stale because it has not had activity in the last 2 weeks. It will be closed in 30 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
@mandarjog @gyliu513 @GregHanson more activity, please. |
|
There is a workaround like #10358, however, this PR is essential for GKE Istio addon users because GKE Istio addon does not allow modifying sidecar-injector-configmap manifest by cluster user and they cannot apply its workaround. |
|
Same for us, this needs to stop. And it's been months! |
|
/meow EDIT prow hates me |
|
/retest @ostromart @costinm PTAL |
|
This definitely should not have been left sitting for so long. Sorry. Getting more eyes on it now. However, the circleci test failures look like they are due to this change. We can't merge a PR that breaks tests |
|
Sorry for the delay - the PR looks good, if we can get the tests to pass we should get it in. /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: costinm, jaredallard The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
To fix the tests, you need to update the expected files. in pilot/pkg/kube/inject/testdata. And probably rebase your changes since this is from a while ago |
|
@jaredallard: The following tests failed, say
DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@howardjohn can you take this one? I think it's an important fix, I worry we've stretched everyone's patience too far already, and I bet you could fix the test failures in far less time |
|
@jaredallard apologies for the long lag in your PR review. This issue is in the process of being solved, and I want to thank you for hunting down the correct solution. Most Istio contributors that can approve PRs are a little overloaded. One thing that helps when your PR is submitted is to use the This shows up in a dashboard under https://github.com/pulls/assigned and is the primary mechanism by which many PRs are reviewed. Cheers |
What this PR does: Fixes the init container to be able to properly apply iptables rules when the parent pod has a securityContext set
Fixes #10358