github-actions[bot]
commented
1 year ago This issue will be closed due to a long period of inactivity. If you would like this issue to remain open then please comment or update.
Closed lorenzo-biava closed 1 year ago
github-actions[bot]
commented
1 year ago This issue will be closed due to a long period of inactivity. If you would like this issue to remain open then please comment or update.
lorenzo-biava
commented
1 year ago still valid
github-actions[bot]
commented
1 year ago This issue will be closed due to a long period of inactivity. If you would like this issue to remain open then please comment or update.
github-actions[bot]
commented
1 year ago Issue closed due to inactivity.
Bug description:
Injected osm-healthcheck container runs as root (at least on v1.1.2 -- note that OSM is running v1.2.1, so there might also be some inconsistencies between the image versions). It should be run under a different user. The container image is built with "user: 0" and it's injected without specifying a different runAsUser.
This leads to the Pod being rejected by security policies in certain environments. E.g.
message: 'container has runAsNonRoot and image will run as root (pod: "xxxxxxxxx(fe265a59-4567-416d-8904-11e42899c815)", container: osm-healthcheck)'Affected area (please mark with X where applicable):
Expected behavior:
The osm-healthcheck container should not be run as root.
https://github.com/openservicemesh/osm/blob/v1.2.1/pkg/injector/patch.go#L124 should set:
securityContext.runAsUser: something other than 0Steps to reproduce the bug (as precisely as possible):
Create a deployment with:
securityContext.runAsNonRoot: trueHow was OSM installed?:
AKS Add-on
Anything else we need to know?:
Bug report archive:
Environment:
osm version): v1.2.1kubectl version): v1.24.6