Run istio-init with non-root UID by rlenglet · Pull Request #20380 · istio/istio

rlenglet · 2020-01-21T20:12:44Z

Run the istio-init container with UID 1337 instead of UID 0.
Pass --table=mangle --table=nat arguments to every iptables command to explicitly specify the tables to setup / clean, so it won't try to access file /proc/net/ip_tables_names which is accessible only to UID/GID 0.
Set CAP_NET_ADMIN and CAP_NET_RAW as ambient capabilities in istio-iptables to make them inherited and effective when calling iptables commands, even when istio-iptables runs as non-root. ❗️This requires Linux kernel version ≥4.3.
Set CAP_NET_ADMIN and CAP_NET_RAW as permitted capabilities on the istio-iptables binary in the proxyv2 Docker image. ❗️This requires a filesystem supporting extended attributes. The benefits of running as non-root outweigh the (small) risk of encountering a platform which filesystem doesn't support extended attributes.

The CAP_SYS_MODULE capability is not added to the istio-init container. It is normally needed by iptables to install kernel modules if they are not compiled into the kernel or already loaded. The previous configuration (non-privileged, UID 0, no CAP_SYS_MODULE capability) has always prevented istio-init from loading modules anyway, so this is not an issue.

rlenglet · 2020-01-21T20:13:11Z

This PR takes over @lambdai's work in #20186.

rlenglet · 2020-01-21T20:44:56Z

The capabilities are not yet sufficient:

2020-01-21T20:26:35.009239497Z stdout F iptables-restore --noflush /tmp/iptables-rules-1579638395008660162.txt088733895
2020-01-21T20:26:35.058585628Z stderr F iptables-restore v1.6.1: iptables-restore: unable to initialize table 'nat'
2020-01-21T20:26:35.058617869Z stderr F 
2020-01-21T20:26:35.058625548Z stderr F Error occurred at line: 1
2020-01-21T20:26:35.058644108Z stderr F Try `iptables-restore -h' or 'iptables-restore --help' for more information.
2020-01-21T20:26:35.058739018Z stdout F iptables-save 
2020-01-21T20:26:35.06020544Z stderr F Failed to list table names in /proc/net/ip_tables_names: Permission denied
2020-01-21T20:26:35.066010973Z stderr F panic: exit status 2

rlenglet · 2020-01-21T20:48:06Z

The inability to read /proc/net/ip_tables_names may not be solvable with capabilities, since that path is only readable from uid/gid 0:

$ ls -l /proc/net/ip_tables_names
-r--r----- 1 root root 0 Jan 21 20:46 /proc/net/ip_tables_names

See the kernel patch that enforces that.

I will try to work around this by passing -t ... explicitly to iptables-restore and iptables-save so it would not need to look up /proc/net/ip_tables_names.

rlenglet · 2020-01-21T21:56:27Z

Passing --table=mangle --table=nat arguments eliminates the error due to the read access to /proc/net/ip_tables_names, but there are still other permission problems:

2020-01-21T21:48:16.755325748Z stdout F iptables-restore --noflush --table=mangle --table=nat /tmp/iptables-rules-1579643296753682011.txt144766844
2020-01-21T21:48:16.790924877Z stderr F iptables-restore v1.6.1: iptables-restore: unable to initialize table 'nat'
2020-01-21T21:48:16.791240645Z stderr F 
2020-01-21T21:48:16.79126229Z stderr F Error occurred at line: 1
2020-01-21T21:48:16.791285658Z stderr F Try `iptables-restore -h' or 'iptables-restore --help' for more information.
2020-01-21T21:48:16.79154265Z stdout F iptables-save --table=mangle --table=nat
2020-01-21T21:48:16.79314201Z stderr F iptables-save v1.6.1: Cannot initialize: Permission denied (you must be root)
2020-01-21T21:48:16.793168985Z stderr F 
2020-01-21T21:48:16.795734391Z stderr F panic: exit status 2

rlenglet · 2020-01-21T22:45:46Z

Passing --table=nat is not sufficient to prevent iptables-restore from trying to read /proc/net/ip_tables_names. strace shows that it still tries to read that file:

openat(AT_FDCWD, "/test.txt", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=925, ...}) = 0
read(3, "* nat\n-N ISTIO_REDIRECT\n-N ISTIO"..., 4096) = 925
socket(AF_INET, SOCK_RAW, IPPROTO_RAW)  = -1 EPERM (Operation not permitted)
lstat("/proc/net/ip_tables_names", {st_mode=S_IFREG|0440, st_size=0, ...}) = 0
statfs("/proc/net/ip_tables_names", {f_type=PROC_SUPER_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
socket(AF_INET, SOCK_RAW, IPPROTO_RAW)  = -1 EPERM (Operation not permitted)
write(2, "iptables-restore v1.6.1: ", 25iptables-restore v1.6.1: ) = 25
write(2, "iptables-restore: unable to init"..., 51iptables-restore: unable to initialize table 'nat'
) = 51
write(2, "\n", 1
)                       = 1
write(2, "Error occurred at line: 1\n", 26Error occurred at line: 1
) = 26
write(2, "Try `iptables-restore -h' or 'ip"..., 77Try `iptables-restore -h' or 'iptables-restore --help' for more information.
) = 77
lseek(3, -919, SEEK_CUR)                = 6
exit_group(2)                           = ?

It's weird that socket(AF_INET, SOCK_RAW, IPPROTO_RAW) is not permitted, since we explicitly add CAP_NET_RAW. This is probably the remaining blocker.

rlenglet · 2020-01-22T04:55:59Z

The strace trace corresponds to this code:

Call to iptc_init() to read the rules from the table at iptables/iptables-restore.c line 61.
Call to xtables_load_ko() to attempt to load the kernel modules at iptables/iptables-restore.c line 65.
2nd attempt to call iptc_init() to read the rules from the table at iptables/iptables-restore.c line 66.
Printout of error message at iptables/iptables-restore.c line 70.

In this run, the call to xtables_load_ko() returns success, as it only tests that file /proc/net/ip_tables_names already exists, cf. the implementation at libxtables/xtables.c line 426. So there's no problem with reading /proc/net/ip_tables_names in this case. The problem is that the call to iptc_init() fails.

rlenglet · 2020-01-22T05:28:54Z

The socket() call that is failing with EPERM is in TC_INIT() aka iptc_init() line 1318:

sockfd = socket(TC_AF, SOCK_RAW, IPPROTO_RAW);
if (sockfd < 0)
    return NULL;

TC_AF is a macro that is defined here as AF_INET.

This call shouldn't fail. This container has CAP_NET_RAW and the raw(7) manpage states this:

EPERM The user doesn't have permission to open raw sockets.  Only
      processes with an effective user ID of 0 or the CAP_NET_RAW
      attribute may do that.

This matches the actual implementation in the kernel:

err = -EPERM;
if (sock->type == SOCK_RAW && !kern &&
    !ns_capable(net->user_ns, CAP_NET_RAW))
        goto out_rcu_unlock;

rlenglet · 2020-01-22T07:12:32Z

One hypothesis is that the Docker host is running LSM modules with a policy which prevents opening raw sockets, like in this SELinux bug: https://bugzilla.redhat.com/show_bug.cgi?id=1179489

sdake

looks good - although the RAW socket usage is strongly discouraged by everyone going back 30+ years :). For CentOS based distros, have a look at https://bugzilla.redhat.com/show_bug.cgi?id=1133654

Which distro are you struggling to get this runnign on?

rlenglet · 2020-01-28T20:22:28Z

looks good - although the RAW socket usage is strongly discouraged by everyone going back 30+ years :). For CentOS based distros, have a look at https://bugzilla.redhat.com/show_bug.cgi?id=1133654

CAP_NET_RAW is required by iptables.

rlenglet · 2020-01-28T20:37:02Z

Tests still fail, likely because of CAP_NET_RAW is still not effective:

2020-01-28T20:19:29.393205862Z stdout F iptables-restore --noflush --table=mangle --table=nat /tmp/iptables-rules-1580242769392356701.txt522563304
2020-01-28T20:19:29.484692325Z stderr F iptables-restore v1.6.1: iptables-restore: unable to initialize table 'nat'
2020-01-28T20:19:29.484724804Z stderr F 
2020-01-28T20:19:29.484731547Z stderr F Error occurred at line: 1
2020-01-28T20:19:29.484761158Z stderr F Try `iptables-restore -h' or 'iptables-restore --help' for more information.
2020-01-28T20:19:29.485233886Z stdout F iptables-save --table=mangle --table=nat
2020-01-28T20:19:29.486577777Z stderr F iptables-save v1.6.1: Cannot initialize: Permission denied (you must be root)

rlenglet · 2020-01-28T20:37:32Z

My hypothesis is that this is hitting Docker's years-old bug about not setting ambient capabilities.

rlenglet · 2020-01-29T23:03:19Z

cc @mandarjog fyi

rlenglet · 2020-02-03T19:06:32Z

@istio/wg-config-maintainers please review!
I would recommend reviewing commit-by-commit. The Make make common-test pass commit is large but it's only mechanical test changes.

howardjohn

The idea lgtm, can we look into making the docker files a bit simpler?

Update the base image's version BASE_VERSION to 1.6-dev.1, which has the libcap2-bin package installed. Use the setcap command from libcap2-bin to add CAP_NET_ADMIN and CAP_NET_RAW as Permitted capabilities on the istio-iptables binary. Modfiy istio-iptables to add CAP_NET_ADMIN and CAP_NET_RAW as ambient capabilities when exec'ing any iptables command.

Addressed comments: installed libcap2-bin in base image.

rlenglet · 2020-02-03T22:12:53Z

/cherrypick release-1.3

istio-testing · 2020-02-03T22:13:57Z

@rlenglet: #20380 failed to apply on top of branch "release-1.3":

Using index info to reconstruct a base tree...
M	install/kubernetes/helm/istio/files/injection-template.yaml
A	manifests/istio-control/istio-autoinject/files/injection-template.yaml
A	manifests/istio-control/istio-discovery/files/injection-template.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/all_on.golden-show-in-gh-pull-request.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/component_hub_tag.golden.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/flag_force.golden.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/flag_output.golden.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_profile.golden.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_values.golden.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/flag_override_values.golden.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/flag_set_values.golden.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/pilot_default.golden.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/pilot_k8s_settings.golden.yaml
A	operator/pkg/vfs/assets.gen.go
Falling back to patching base and 3-way merge...
Auto-merging vendor/istio.io/operator/pkg/vfs/assets.gen.go
CONFLICT (content): Merge conflict in vendor/istio.io/operator/pkg/vfs/assets.gen.go
CONFLICT (modify/delete): operator/cmd/mesh/testdata/manifest-generate/output/pilot_k8s_settings.golden.yaml deleted in HEAD and modified in Run istio-init with UID 1337. Version Run istio-init with UID 1337 of operator/cmd/mesh/testdata/manifest-generate/output/pilot_k8s_settings.golden.yaml left in tree.
CONFLICT (modify/delete): operator/cmd/mesh/testdata/manifest-generate/output/pilot_default.golden.yaml deleted in HEAD and modified in Run istio-init with UID 1337. Version Run istio-init with UID 1337 of operator/cmd/mesh/testdata/manifest-generate/output/pilot_default.golden.yaml left in tree.
CONFLICT (modify/delete): operator/cmd/mesh/testdata/manifest-generate/output/flag_set_values.golden.yaml deleted in HEAD and modified in Run istio-init with UID 1337. Version Run istio-init with UID 1337 of operator/cmd/mesh/testdata/manifest-generate/output/flag_set_values.golden.yaml left in tree.
CONFLICT (modify/delete): operator/cmd/mesh/testdata/manifest-generate/output/flag_override_values.golden.yaml deleted in HEAD and modified in Run istio-init with UID 1337. Version Run istio-init with UID 1337 of operator/cmd/mesh/testdata/manifest-generate/output/flag_override_values.golden.yaml left in tree.
CONFLICT (modify/delete): operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_values.golden.yaml deleted in HEAD and modified in Run istio-init with UID 1337. Version Run istio-init with UID 1337 of operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_values.golden.yaml left in tree.
CONFLICT (modify/delete): operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_profile.golden.yaml deleted in HEAD and modified in Run istio-init with UID 1337. Version Run istio-init with UID 1337 of operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_profile.golden.yaml left in tree.
CONFLICT (modify/delete): operator/cmd/mesh/testdata/manifest-generate/output/flag_output.golden.yaml deleted in HEAD and modified in Run istio-init with UID 1337. Version Run istio-init with UID 1337 of operator/cmd/mesh/testdata/manifest-generate/output/flag_output.golden.yaml left in tree.
CONFLICT (modify/delete): operator/cmd/mesh/testdata/manifest-generate/output/flag_force.golden.yaml deleted in HEAD and modified in Run istio-init with UID 1337. Version Run istio-init with UID 1337 of operator/cmd/mesh/testdata/manifest-generate/output/flag_force.golden.yaml left in tree.
CONFLICT (modify/delete): operator/cmd/mesh/testdata/manifest-generate/output/component_hub_tag.golden.yaml deleted in HEAD and modified in Run istio-init with UID 1337. Version Run istio-init with UID 1337 of operator/cmd/mesh/testdata/manifest-generate/output/component_hub_tag.golden.yaml left in tree.
CONFLICT (modify/delete): operator/cmd/mesh/testdata/manifest-generate/output/all_on.golden-show-in-gh-pull-request.yaml deleted in HEAD and modified in Run istio-init with UID 1337. Version Run istio-init with UID 1337 of operator/cmd/mesh/testdata/manifest-generate/output/all_on.golden-show-in-gh-pull-request.yaml left in tree.
CONFLICT (modify/delete): manifests/istio-control/istio-discovery/files/injection-template.yaml deleted in HEAD and modified in Run istio-init with UID 1337. Version Run istio-init with UID 1337 of manifests/istio-control/istio-discovery/files/injection-template.yaml left in tree.
CONFLICT (modify/delete): manifests/istio-control/istio-autoinject/files/injection-template.yaml deleted in HEAD and modified in Run istio-init with UID 1337. Version Run istio-init with UID 1337 of manifests/istio-control/istio-autoinject/files/injection-template.yaml left in tree.
Auto-merging install/kubernetes/helm/istio/files/injection-template.yaml
CONFLICT (content): Merge conflict in install/kubernetes/helm/istio/files/injection-template.yaml
error: Failed to merge in the changes.
Patch failed at 0001 Run istio-init with UID 1337

Details

In response to this:

/cherrypick release-1.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

rlenglet · 2020-02-03T22:20:33Z

/cherrypick release-1.5

istio-testing · 2020-02-03T22:20:40Z

@rlenglet: #20380 failed to apply on top of branch "release-1.5":

Using index info to reconstruct a base tree...
M	manifests/istio-control/istio-autoinject/files/injection-template.yaml
M	manifests/istio-control/istio-discovery/files/injection-template.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/all_on.golden-show-in-gh-pull-request.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/component_hub_tag.golden.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/flag_force.golden.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/flag_output.golden.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_profile.golden.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_values.golden.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/flag_override_values.golden.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/flag_set_values.golden.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/pilot_default.golden.yaml
A	operator/cmd/mesh/testdata/manifest-generate/output/pilot_k8s_settings.golden.yaml
M	operator/pkg/vfs/assets.gen.go
Falling back to patching base and 3-way merge...
Auto-merging operator/pkg/vfs/assets.gen.go
Auto-merging operator/cmd/mesh/testdata/manifest-generate/output/pilot_k8s_settings.yaml
Auto-merging operator/cmd/mesh/testdata/manifest-generate/output/pilot_default.yaml
Auto-merging operator/cmd/mesh/testdata/manifest-generate/output/flag_set_values.yaml
Auto-merging operator/cmd/mesh/testdata/manifest-generate/output/flag_override_values.yaml
Auto-merging operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_values.yaml
Auto-merging operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_profile.yaml
Auto-merging operator/cmd/mesh/testdata/manifest-generate/output/flag_output.yaml
Auto-merging operator/cmd/mesh/testdata/manifest-generate/output/flag_force.yaml
Auto-merging operator/cmd/mesh/testdata/manifest-generate/output/component_hub_tag.yaml
Auto-merging operator/cmd/mesh/testdata/manifest-generate/output/all_on.yaml
Auto-merging manifests/istio-control/istio-discovery/files/injection-template.yaml
Auto-merging manifests/istio-control/istio-autoinject/files/injection-template.yaml
Applying: Make make common-test pass
Applying: Limit iptables-restore/save to only the tables used
Applying: Set the ambient capabilities for iptables commands
error: Failed to merge in the changes.
Using index info to reconstruct a base tree...
M	Makefile.core.mk
Falling back to patching base and 3-way merge...
Auto-merging Makefile.core.mk
CONFLICT (content): Merge conflict in Makefile.core.mk
Patch failed at 0004 Set the ambient capabilities for iptables commands

Details

In response to this:

/cherrypick release-1.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

This reverts commit 0996b80.

bianpengyuan · 2020-02-05T19:08:05Z

master build crashes in my GKE cluster, with kernel version 4.14.150+. Looks like it is caused by this PR:

iptables-restore --noflush --table=mangle --table=nat /tmp/iptables-rules-1580927478353624087.txt324682989
iptables-save --table=mangle --table=nat
panic: fork/exec /sbin/iptables-restore: errno 0

goroutine 1 [running]:
istio.io/istio/tools/istio-iptables/pkg/dependencies.(*RealDependencies).RunOrFail(0xd819c0, 0x9739cb, 0x10, 0xc00009a040, 0x4, 0x4)
        istio.io/istio@/tools/istio-iptables/pkg/dependencies/implementation.go:58 +0x96
istio.io/istio/tools/istio-iptables/pkg/cmd.(*IptablesConfigurator).executeIptablesRestoreCommand(0xc000123d30, 0x7f51bd806d01, 0x0, 0x0)
        istio.io/istio@/tools/istio-iptables/pkg/cmd/run.go:483 +0x3c1
istio.io/istio/tools/istio-iptables/pkg/cmd.(*IptablesConfigurator).executeCommands(0xc000123d30)
        istio.io/istio@/tools/istio-iptables/pkg/cmd/run.go:498 +0x45
istio.io/istio/tools/istio-iptables/pkg/cmd.(*IptablesConfigurator).run(0xc000123d30)
        istio.io/istio@/tools/istio-iptables/pkg/cmd/run.go:438 +0x24e2
istio.io/istio/tools/istio-iptables/pkg/cmd.glob..func1(0xd5c740, 0xc000104700, 0x0, 0x10)
        istio.io/istio@/tools/istio-iptables/pkg/cmd/root.go:56 +0x14e
github.com/spf13/cobra.(*Command).execute(0xd5c740, 0xc0000ca010, 0x10, 0x11, 0xd5c740, 0xc0000ca010)
        github.com/spf13/cobra@v0.0.5/command.go:830 +0x2aa
github.com/spf13/cobra.(*Command).ExecuteC(0xd5c740, 0x40574f, 0xc00009c058, 0x0)
        github.com/spf13/cobra@v0.0.5/command.go:914 +0x2fb
github.com/spf13/cobra.(*Command).Execute(...)
        github.com/spf13/cobra@v0.0.5/command.go:864
istio.io/istio/tools/istio-iptables/pkg/cmd.Execute()
        istio.io/istio@/tools/istio-iptables/pkg/cmd/root.go:284 +0x2d
main.main()
        istio.io/istio@/tools/istio-iptables/main.go:22 +0x20

This reverts commit 0996b80.

* Run istio-init with UID 1337 * Make make common-test pass * Limit iptables-restore/save to only the tables used * Set the ambient capabilities for iptables commands Update the base image's version BASE_VERSION to 1.6-dev.1, which has the libcap2-bin package installed. Use the setcap command from libcap2-bin to add CAP_NET_ADMIN and CAP_NET_RAW as Permitted capabilities on the istio-iptables binary. Modfiy istio-iptables to add CAP_NET_ADMIN and CAP_NET_RAW as ambient capabilities when exec'ing any iptables command.

This reverts commit 0996b80.

rlenglet added area/networking area/environments/installer labels Jan 21, 2020

rlenglet added this to the 1.5 milestone Jan 21, 2020

rlenglet requested a review from lambdai January 21, 2020 20:12

rlenglet requested review from a team as code owners January 21, 2020 20:12

googlebot added the cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. label Jan 21, 2020

istio-testing added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Jan 21, 2020

rlenglet changed the title ~~Run istio-init with non-root UID~~ [WIP] Run istio-init with non-root UID Jan 21, 2020

istio-testing added the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Jan 21, 2020

rlenglet force-pushed the istio-init-uid-1337 branch from 2b63f9e to 3749b90 Compare January 21, 2020 21:32

liamawhite approved these changes Jan 24, 2020

View reviewed changes

sdake approved these changes Jan 27, 2020

View reviewed changes

Comment thread manifests/istio-control/istio-autoinject/files/injection-template.yaml

rlenglet added the cherrypick/release-1.5 label Jan 28, 2020

rlenglet force-pushed the istio-init-uid-1337 branch from 3749b90 to ff3d0bc Compare January 28, 2020 19:19

rlenglet requested a review from a team as a code owner January 28, 2020 19:19

rlenglet force-pushed the istio-init-uid-1337 branch 2 times, most recently from 410ac12 to ac7153e Compare January 28, 2020 20:09

rlenglet mentioned this pull request Feb 2, 2020

Set securityContext.runAsUser: 1337 for control plane containers #20311

Merged

ericvn approved these changes Feb 3, 2020

View reviewed changes

rlenglet added 3 commits February 3, 2020 09:54

Run istio-init with UID 1337

a3ac701

Make make common-test pass

a2c7942

Limit iptables-restore/save to only the tables used

5028987

rlenglet force-pushed the istio-init-uid-1337 branch from a252727 to bac5f38 Compare February 3, 2020 18:09

howardjohn previously requested changes Feb 3, 2020

View reviewed changes

Comment thread pilot/docker/Dockerfile.proxyv2 Outdated

Comment thread pilot/docker/Dockerfile.proxyv2 Outdated

Comment thread pilot/docker/Dockerfile.proxyv2 Outdated

rlenglet mentioned this pull request Feb 3, 2020

Install libcap2-bin into base image #20804

Closed

rlenglet force-pushed the istio-init-uid-1337 branch from bac5f38 to 4a51bf7 Compare February 3, 2020 20:06

rlenglet requested review from costinm, linsun and rshriram as code owners February 3, 2020 20:06

howardjohn approved these changes Feb 3, 2020

View reviewed changes

istio-testing merged commit 0996b80 into master Feb 3, 2020

istio-testing deleted the istio-init-uid-1337 branch February 3, 2020 21:45

dgn added a commit to dgn/istio that referenced this pull request Feb 5, 2020

Revert "Run istio-init with non-root UID (istio#20380)"

b685efa

This reverts commit 0996b80.

istio-testing pushed a commit that referenced this pull request Feb 6, 2020

Revert "Run istio-init with non-root UID (#20380)" (#20872)

fa61b6a

This reverts commit 0996b80.

sdake pushed a commit to sdake/istio that referenced this pull request Feb 21, 2020

Revert "Run istio-init with non-root UID (istio#20380)" (istio#20872)

5f5e3ef

This reverts commit 0996b80.

rlenglet mentioned this pull request Nov 9, 2020

run iptables init container as non root user #28711

Closed

Conversation

rlenglet commented Jan 21, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rlenglet commented Jan 21, 2020

Uh oh!

rlenglet commented Jan 21, 2020

Uh oh!

rlenglet commented Jan 21, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rlenglet commented Jan 21, 2020

Uh oh!

rlenglet commented Jan 21, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rlenglet commented Jan 22, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rlenglet commented Jan 22, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rlenglet commented Jan 22, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

sdake left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

rlenglet commented Jan 28, 2020

Uh oh!

rlenglet commented Jan 28, 2020

Uh oh!

rlenglet commented Jan 28, 2020

Uh oh!

rlenglet commented Jan 29, 2020

Uh oh!

rlenglet commented Feb 3, 2020

Uh oh!

howardjohn left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

rlenglet commented Feb 3, 2020

Uh oh!

istio-testing commented Feb 3, 2020

Uh oh!

rlenglet commented Feb 3, 2020

Uh oh!

istio-testing commented Feb 3, 2020

Uh oh!

bianpengyuan commented Feb 5, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

rlenglet commented Jan 21, 2020 •

edited

Loading

rlenglet commented Jan 21, 2020 •

edited

Loading

rlenglet commented Jan 21, 2020 •

edited

Loading

rlenglet commented Jan 22, 2020 •

edited

Loading

rlenglet commented Jan 22, 2020 •

edited

Loading

rlenglet commented Jan 22, 2020 •

edited

Loading