search

linkerd / linkerd2

Ultralight, security-first service mesh for Kubernetes. Main repo for Linkerd 2.x.
https://linkerd.io
Apache License 2.0
10.67k stars 1.28k forks source link

Unable to inject Linkerd proxy on OpenShift without configuring privileged SCC on the workload #11520

Open rumeshmadhusanka opened 1 year ago

rumeshmadhusanka commented 1 year ago

What is the issue?

I'm unable to inject Linkerd proxy on OpenShift without configuring privileged SCC on the workload. The workloads can run with restricted or other SCCs should not require to be given privileged SCC after injecting with Linkerd.

How can it be reproduced?

Deploy Linkerd 2.14.1 on OpenShift 4.13/4.12, inject a workload with Linkerd by setting the annotations on the namespace. Restart the deployment. Replicaset will fail.

Logs, error output, etc

When I configure workload with SCC other than privileged, workload replica fails with error:

Error creating: pods "<redacted-podname>" is forbidden: unable to validate against any security context constraint: [pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/linkerd-proxy]: Forbidden: seccomp may not be set, provider "<redacted>": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].runAsUser: Invalid value: 2102: must be in the ranges: [1001060000, 1001069999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "loki": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

output of linkerd check -o short

linkerd-ha-checks
-----------------
‼ pod injection disabled on kube-system
    kube-system namespace needs to have the label config.linkerd.io/admission-webhooks: disabled if injector webhook failure policy is Fail
    see https://linkerd.io/2.14/checks/#l5d-injection-disabled for hints

Status check results are √

Environment

K8s 1.26 OpenShift 4.13 Linkerd 2.14.1 (with Linkerd CNI) Host OS: Core OS

Possible solution

Make Proxy's SecurityContext fully configurable on the Helm chart

I removed the security context from the partials chart's _proxy.tpl. Seems the linkerd-network-validator container wants to run as root, therefore fails.

Additional context

No response

Would you like to work on fixing this bug?

Yes, willing to work with Linkerd team

stale[bot] commented 9 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] commented 6 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

kbreit-insight commented 4 months ago

I am seeing similar problems using linkerd-edge helm repo.

dublx commented 4 months ago

+1