Closed p1-repo-sync-bot[bot] closed 8 months ago
It looks like for some reason when enterprise is enabled, the pilot pod no longer runs as UID and GID 1337, as it should. We're looking into it.
Upstream Istio explicitly sets the user to 1337 in the Dockerfile.
created a MR to make the fips image consistent with upstream https://repo1.dso.mil/dsop/tetrate/istio/1.20/pilot/-/merge_requests/28
In addition to the Docker fix from @stas , we can enforce the user/group with the changes done here: https://repo1.dso.mil/big-bang/product/packages/istio-controlplane/-/merge_requests/203 . These changes don't require the Docker image to change, but changing the values in the Docker images is fine too--and a good practice to have the uid/gid values align.
Issue 'Istiod does not deploy on latest release when using TID (enterprise)' closed from GitLab side
I think we can close this out. With the docker fix and bb fixes, we should be good.
Issue https://repo1.dso.mil/big-bang/bigbang/-/issues/1927 was created, so we can work to get some testing with Tetrate enterprise enabled
See MR where this is shown happening in CI: https://repo1.dso.mil/big-bang/bigbang/-/merge_requests/3749
Locally it seemed like the issue was istiod getting blocked by kyverno policies for non-root group and this is captured in the events as well - https://repo1.dso.mil/big-bang/bigbang/-/jobs/30819829/artifacts/file/events.txt
I haven't identified the exact issue, but it looks like TID is one minor version ahead of the upstream/default istio (1.20 v 1.19). I couldn't find any release notes indicating a change in this minor version but it's a bit hard to identify changes in the operator since its less supported now.
Maybe this is a separate issue but I don't believe that TID/enterprise is tested in any of the pipelines, which seems problematic?