Question
Do you have any recommendation how to approach: https://github.com/istio/istio/issues/22025 ?
Case description
I have a Deployment with two Volumes. Once pods are started, files owner’s from volumes are changed to 1337
, which is a user which runs istio-proxy.
So, here is my pod:
apiVersion: v1
kind: Pod
# ...
spec:
containers:
- name: my-container
securityContext:
runAsUser: 0
volumeMounts:
- mountPath: /root/.ssh/id_rsa
name: git-ssh-key
readOnly: true
subPath: id_rsa
- mountPath: /opt/webhook/log4j2.xml
name: log4j2-config
readOnly: true
subPath: log4j2.xml
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-v88pp
readOnly: true
# ...
- name: istio-proxy
image: docker.io/istio/proxyv2:1.5.2
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /var/run/secrets/tokens
name: istio-token
- mountPath: /etc/istio/pod
name: podinfo
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-v88pp
readOnly: true
# ...
initContainers:
- command:
- istio-iptables
- -p
- "15001"
- -z
- "15006"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -x
- ""
- -b
- '*'
- -d
- 15090,15020
image: docker.io/istio/proxyv2:1.5.2
imagePullPolicy: IfNotPresent
name: istio-init
resources:
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 10m
memory: 10Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
securityContext:
fsGroup: 1337
volumes:
- configMap:
defaultMode: 511
items:
- key: log4j2.xml
path: log4j2.xml
name: my-app
name: log4j2-config
- name: git-ssh-key
secret:
defaultMode: 448
items:
- key: id_rsa
path: id_rsa
secretName: my-app
- name: default-token-v88pp
secret:
defaultMode: 420
secretName: default-token-v88pp
- emptyDir:
medium: Memory
name: istio-envoy
- downwardAPI:
defaultMode: 420
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.labels
path: labels
- fieldRef:
apiVersion: v1
fieldPath: metadata.annotations
path: annotations
name: podinfo
- name: istio-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
- configMap:
defaultMode: 420
name: istio-ca-root-cert
name: istiod-ca-cert
# ...
And, once it starts file owner in my two volumes are changed from root
to 1337
:
$ kubectl exec -ti my-pod -c my-container bash
bash-4.3# ls -lha /opt/webhook/log4j2.xml ~/.ssh/id_rsa
-rwxrwxrwx 1 root 1337 9.1K May 13 11:29 /opt/webhook/log4j2.xml
-rwxr----- 1 root 1337 3.3K May 13 11:29 /root/.ssh/id_rsa