injection: fix sidecar template for TPROXY mode on OpenShift#56577
injection: fix sidecar template for TPROXY mode on OpenShift#56577istio-testing merged 3 commits intoistio:masterfrom
Conversation
Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
| readOnlyRootFilesystem: true | ||
| runAsGroup: {{ .ProxyGID | default "1337" }} | ||
| runAsUser: {{ .ProxyUID | default "1337" }} | ||
| runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} |
There was a problem hiding this comment.
nit: why change the order, ie runAsUser before runAsGroup? Before it was alphabetically ordered
There was a problem hiding this comment.
Sorry, I didn't do that intentionally. This is the result of refactoring a few subsequent changes to this template. I will revert it.
dgn
left a comment
There was a problem hiding this comment.
LGTM but ordering changes seem unnecessary. not a blocker though
Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
|
Actually, now that I think about it... Can't we also configure a default interception mode in MeshConfig? If so, that would mean TPROXY being enabled without the annotation being present. So maybe move this into pkg/kube/inject instead of the template? |
|
This condition takes into account the annotation as well as a proxyConfig that can be defined in meshConfig or per-proxy: |
Ah, perfect. Thank you |
|
In response to a cherrypick label: new pull request created: #56584 |
|
In response to a cherrypick label: new pull request created: #56585 |
|
In response to a cherrypick label: new pull request could not be created: failed to create pull request against istio/istio#release-1.24 from head istio-testing:cherry-pick-56577-to-release-1.24: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for istio-testing:cherry-pick-56577-to-release-1.24."}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request","status":"422"} |
|
In response to a cherrypick label: new pull request created: #56586 |
|
In response to a cherrypick label: new pull request could not be created: failed to create pull request against istio/istio#release-1.24 from head istio-testing:cherry-pick-56577-to-release-1.24: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for istio-testing:cherry-pick-56577-to-release-1.24."}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request","status":"422"} |
|
In response to a cherrypick label: new pull request could not be created: failed to create pull request against istio/istio#release-1.25 from head istio-testing:cherry-pick-56577-to-release-1.25: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for istio-testing:cherry-pick-56577-to-release-1.25."}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request","status":"422"} |
|
In response to a cherrypick label: new pull request could not be created: failed to create pull request against istio/istio#release-1.26 from head istio-testing:cherry-pick-56577-to-release-1.26: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for istio-testing:cherry-pick-56577-to-release-1.26."}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request","status":"422"} |
|
In response to a cherrypick label: new pull request could not be created: failed to create pull request against istio/istio#release-1.25 from head istio-testing:cherry-pick-56577-to-release-1.25: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for istio-testing:cherry-pick-56577-to-release-1.25."}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request","status":"422"} |
|
In response to a cherrypick label: new pull request could not be created: failed to create pull request against istio/istio#release-1.26 from head istio-testing:cherry-pick-56577-to-release-1.26: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for istio-testing:cherry-pick-56577-to-release-1.26."}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request","status":"422"} |
* upstream/master: injection: fix sidecar template for TPROXY mode on OpenShift (istio#56577) Update BASE_VERSION to master-2025-06-11T19-01-21 (istio#56581) Automator: update proxy@master in istio/istio@master (istio#56580) Fix: create-remote-secret create redundant rbac resources (istio#56559) support trafficDistribution in pilot service (istio#56556)
Please provide a description of this PR:
Injection webhook on OpenShift sets proxy UID and GID based on
openshift.io/sa.scc.uid-rangeannotation to avoid the requirement of assigninganyuidSCC for regular pods. However, proxies running in TPROXY mode needprivilegedSCC and injection webhook should assign UID=0 and GID=1337 as it is by default. Init containeristio-validationalso should use default UID=1337 and GID=1337.