istio / istio.io

Source for the istio.io site
https://istio.io/
Apache License 2.0
761 stars 1.55k forks source link

"must enable containers running with UID 0 for Istio’s service accounts" #8321

Open pantianying opened 4 years ago

pantianying commented 4 years ago

Describe the feature request

Referring to the official documentation, I installed ISTIO in OpenShift https://istio.io/latest/docs/setup/platform-setup/openshift There's a description: image

I can't understand where the group: istio-system needs to use the uid of 0. As far as I can understand, i think that enough that only istio-cni needs such permission

[X] Docs [ ] Installation [ ] Networking [ ] Performance and Scalability [ ] Extensions and Telemetry [ ] Security [ ] Test and Release [ ] User Experience [ ] Developer Infrastructure

Additional context

howardjohn commented 4 years ago

This is probably not accurate anymore? @jwendell @dgn?

pantianying commented 4 years ago

The network-related operations have been completed through the CNI plug-in. I can't install ISTIO when I don't give istio these permissions, but I don't know why istio needs such high permissions. This is a black box for me, so can someone explain it to me.

ths

jwendell commented 4 years ago

I'll give it a try with 1.8 which was just cut. Last time I checked (1.7) some component still needed those permissions, that's why those instructions are still in that page.

dgn commented 4 years ago

anyuid isn't just about UID 0 -- you also need that capability to run as UID 1337. So it might be the gateways