privileged:true is not present on all settings in the istio-sidecar-injector ConfigMap

[matzew]

Looking at the istio-sidecar-injector ConfigMap:

oc get cm istio-sidecar-injector -n istio-system -o yaml   

I see that not all securityContext objects do have privileged: true:

➜  FaaS oc get cm istio-sidecar-injector -n istio-system -o yaml                       
apiVersion: v1
data:
  config: "policy: disabled\ntemplate: |-\n  initContainers:\n  - name: istio-init\n
    \   image: \"docker.io/istio/proxy_init:1.0.2\"\n    args:\n    - \"-p\"\n    -
    [[ .MeshConfig.ProxyListenPort ]]\n    - \"-u\"\n    - 1337\n    - \"-m\"\n    -
    [[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String
    ]]\n    - \"-i\"\n    [[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundIPRanges\")
    -]]\n    - \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundIPRanges\"
    \ ]]\"\n    [[ else -]]\n    - \"*\"\n    [[ end -]]\n    - \"-x\"\n    [[ if
    (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeOutboundIPRanges\")
    -]]\n    - \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeOutboundIPRanges\"
    \ ]]\"\n    [[ else -]]\n    - \"\"\n    [[ end -]]\n    - \"-b\"\n    [[ if (isset
    .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeInboundPorts\") -]]\n
    \   - \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeInboundPorts\"
    \ ]]\"\n    [[ else -]]\n    - [[ range .Spec.Containers -]][[ range .Ports -]][[
    .ContainerPort -]], [[ end -]][[ end -]][[ end]]\n    - \"-d\"\n    [[ if (isset
    .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeInboundPorts\") -]]\n
    \   - \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeInboundPorts\"
    ]]\"\n    [[ else -]]\n    - \"\"\n    [[ end -]]\n    imagePullPolicy: IfNotPresent\n
    \   securityContext:\n      capabilities:\n        add:\n        - NET_ADMIN\n
    \     \n      privileged: true\n      restartPolicy: Always\n  \n  containers:\n
    \ - name: istio-proxy\n    image: [[ if (isset .ObjectMeta.Annotations \"sidecar.istio.io/proxyImage\")
    -]]\n    \"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyImage\" ]]\"\n
    \   [[ else -]]\n    docker.io/istio/proxyv2:1.0.2\n    [[ end -]]\n    args:\n
    \   - proxy\n    - sidecar\n    - --configPath\n    - [[ .ProxyConfig.ConfigPath
    ]]\n    - --binaryPath\n    - [[ .ProxyConfig.BinaryPath ]]\n    - --serviceCluster\n
    \   [[ if ne \"\" (index .ObjectMeta.Labels \"app\") -]]\n    - [[ index .ObjectMeta.Labels
    \"app\" ]]\n    [[ else -]]\n    - \"istio-proxy\"\n    [[ end -]]\n    - --drainDuration\n
    \   - [[ formatDuration .ProxyConfig.DrainDuration ]]\n    - --parentShutdownDuration\n
    \   - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]]\n    - --discoveryAddress\n
    \   - [[ .ProxyConfig.DiscoveryAddress ]]\n    - --discoveryRefreshDelay\n    -
    [[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]]\n    - --zipkinAddress\n
    \   - [[ .ProxyConfig.ZipkinAddress ]]\n    - --connectTimeout\n    - [[ formatDuration
    .ProxyConfig.ConnectTimeout ]]\n    - --statsdUdpAddress\n    - [[ .ProxyConfig.StatsdUdpAddress
    ]]\n    - --proxyAdminPort\n    - [[ .ProxyConfig.ProxyAdminPort ]]\n    [[ if
    gt .ProxyConfig.Concurrency 0 -]]\n    - --concurrency\n    - [[ .ProxyConfig.Concurrency
    ]]\n    [[ end -]]\n    - --controlPlaneAuthPolicy\n    - [[ or (index .ObjectMeta.Annotations
    \"sidecar.istio.io/controlPlaneAuthPolicy\") .ProxyConfig.ControlPlaneAuthPolicy
    ]]\n    env:\n    - name: POD_NAME\n      valueFrom:\n        fieldRef:\n          fieldPath:
    metadata.name\n    - name: POD_NAMESPACE\n      valueFrom:\n        fieldRef:\n
    \         fieldPath: metadata.namespace\n    - name: INSTANCE_IP\n      valueFrom:\n
    \       fieldRef:\n          fieldPath: status.podIP\n    - name: ISTIO_META_POD_NAME\n
    \     valueFrom:\n        fieldRef:\n          fieldPath: metadata.name\n    -
    name: ISTIO_META_INTERCEPTION_MODE\n      value: [[ or (index .ObjectMeta.Annotations
    \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]\n
    \   imagePullPolicy: IfNotPresent\n    securityContext:\n      \n      privileged:
    false\n      readOnlyRootFilesystem: true\n      [[ if eq (or (index .ObjectMeta.Annotations
    \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String) \"TPROXY\"
    -]]\n      capabilities:\n        add:\n        - NET_ADMIN\n      runAsGroup:
    1337\n      [[ else -]]\n      runAsUser: 1337\n      [[ end -]]\n    restartPolicy:
    Always\n    resources:\n      [[ if (isset .ObjectMeta.Annotations \"sidecar.istio.io/proxyCPU\")
    -]]\n      requests:\n        cpu: \"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyCPU\"
    ]]\"\n        memory: \"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyMemory\"
    ]]\"\n    [[ else -]]\n      requests:\n        cpu: 10m\n      \n    [[ end -]]\n
    \   volumeMounts:\n    - mountPath: /etc/istio/proxy\n      name: istio-envoy\n
    \   - mountPath: /etc/certs/\n      name: istio-certs\n      readOnly: true\n
    \ volumes:\n  - emptyDir:\n      medium: Memory\n    name: istio-envoy\n  - name:
    istio-certs\n    secret:\n      optional: true\n      [[ if eq .Spec.ServiceAccountName
    \"\" -]]\n      secretName: istio.default\n      [[ else -]]\n      secretName:
    [[ printf \"istio.%s\" .Spec.ServiceAccountName ]]\n      [[ end -]]"
kind: ConfigMap
metadata:
  creationTimestamp: 2018-10-05T14:37:40Z
  labels:
    app: istio
    chart: istio-1.0.1
    heritage: Tiller
    istio: sidecar-injector
    maistra-version: 0.2.0
    release: istio-1.0.2
  name: istio-sidecar-injector
  namespace: istio-system
  resourceVersion: "4219"
  selfLink: /api/v1/namespaces/istio-system/configmaps/istio-sidecar-injector
  uid: 362572f7-c8ac-11e8-858b-5254003179cd

Running the known patch:

oc get cm istio-sidecar-injector -n istio-system -oyaml  \
| sed -e 's/securityContext:/securityContext:\\n      privileged: true/' \
| oc replace -f -

of course updates both ...

@kameshsampath is that patch still needed ?

[kameshsampath]

yes this does replace all, with usage of istio-addon that will negate the use of this command as Maistra istio bits already covers for this.

[matzew]

UPDATE: the oc get cm istio-sidecar-injector -n istio-system -oyaml is NOT needed w/ Maistra !

Knative works:

https://gist.github.com/matzew/2f9df694b9733605b14ac501ecf7575b#file-gistfile1-txt-L33-L80

[matzew]

closing, since no longer an issue for me