V 1.3 - envoy crashes in IngressGateway when non-root and global.sds enabled

I am running/trying to run istio using non-root for all containers.
When running v1.3 with global sds set to true the envoy process in the ingressgateway crashes continually. Setting the securityContext n the container to runAsUser: 0 stops the failure.

ingress-gateway log for istio-proxy

2019-11-23T09:27:50.717536Z     info    Envoy command: [-c /etc/istio/proxy/envoy-rev0.json --restart-epoch 0 --drain-time-s 45 --parent-shutdown-time-s 60 --service-cluster istio-ingressgateway --service-node router~172.16.3.68~istio-ingressgateway-6f858f5685-xp6mc.istio-system~istio-system.svc.cluster.local --max-obj-name-len 189 --local-address-ip-version v4 --allow-unknown-fields -l warning --component-log-level misc:error]
[2019-11-23 09:27:50.730][23][warning][config] [external/envoy/source/server/options_impl.cc:193] --allow-unknown-fields is deprecated, use --allow-unknown-static-fields instead.
[2019-11-23 09:27:50.783][23][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:87] gRPC config stream closed: 14, no healthy upstream
[2019-11-23 09:27:50.783][23][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:50] Unable to establish new stream
[2019-11-23 09:27:52.195][60][critical][main] [external/envoy/source/exe/terminate_handler.cc:13] std::terminate called! (possible uncaught exception, see trace)
[2019-11-23 09:27:52.195][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:69] Backtrace (use tools/stack_decode.py to get line numbers):
[2019-11-23 09:27:52.198][83][critical][main] [external/envoy/source/exe/terminate_handler.cc:13] std::terminate called! (possible uncaught exception, see trace)
[2019-11-23 09:27:52.198][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:69] Backtrace (use tools/stack_decode.py to get line numbers):
[2019-11-23 09:27:52.201][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #0: Envoy::TerminateHandler::logOnTerminate()::$_0::operator()() [0x1fe6ab8]
[2019-11-23 09:27:52.204][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #0: Envoy::TerminateHandler::logOnTerminate()::$_0::operator()() [0x1fe6ab8]
[2019-11-23 09:27:52.207][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #1: [0x1fe69c9]
[2019-11-23 09:27:52.209][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #1: [0x1fe69c9]
[2019-11-23 09:27:52.213][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #2: std::__terminate() [0x22077b3]
[2019-11-23 09:27:52.215][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #2: std::__terminate() [0x22077b3]
[2019-11-23 09:27:52.219][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #3: Envoy::Config::DataSource::read() [0x1b29259]
[2019-11-23 09:27:52.220][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #3: Envoy::Config::DataSource::read() [0x1b29259]
[2019-11-23 09:27:52.225][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #4: Envoy::Extensions::GrpcCredentials::FileBasedMetadata::FileBasedMetadataAuthenticator::GetMetadata() [0xcc6930]
[2019-11-23 09:27:52.226][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #4: Envoy::Extensions::GrpcCredentials::FileBasedMetadata::FileBasedMetadataAuthenticator::GetMetadata() [0xcc6930]
[2019-11-23 09:27:52.231][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #5: grpc::MetadataCredentialsPluginWrapper::InvokePlugin() [0x1b2c60d]
[2019-11-23 09:27:52.232][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #5: grpc::MetadataCredentialsPluginWrapper::InvokePlugin() [0x1b2c60d]
[2019-11-23 09:27:52.237][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #6: std::__1::__function::__func<>::operator()() [0x1b2d3ce]
[2019-11-23 09:27:52.237][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #6: std::__1::__function::__func<>::operator()() [0x1b2d3ce]
[2019-11-23 09:27:52.243][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #7: grpc::DynamicThreadPool::ThreadFunc() [0x1b338b1]
[2019-11-23 09:27:52.243][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #7: grpc::DynamicThreadPool::ThreadFunc() [0x1b338b1]
[2019-11-23 09:27:52.248][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #8: grpc::DynamicThreadPool::DynamicThread::ThreadFunc() [0x1b33605]
[2019-11-23 09:27:52.249][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #8: grpc::DynamicThreadPool::DynamicThread::ThreadFunc() [0x1b33605]
[2019-11-23 09:27:52.254][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #9: grpc_core::(anonymous namespace)::ThreadInternalsPosix::ThreadInternalsPosix()::{lambda()#1}::__invoke() [0x1bf40d3]
[2019-11-23 09:27:52.254][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #10: start_thread [0x7fc3071b96db]
[2019-11-23 09:27:52.254][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:81] Caught Aborted, suspect faulting address 0x271100000017
[2019-11-23 09:27:52.254][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:69] Backtrace (use tools/stack_decode.py to get line numbers):
[2019-11-23 09:27:52.254][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #0: __restore_rt [0x7fc3071c4890]
[2019-11-23 09:27:52.255][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #9: grpc_core::(anonymous namespace)::ThreadInternalsPosix::ThreadInternalsPosix()::{lambda()#1}::__invoke() [0x1bf40d3]
[2019-11-23 09:27:52.255][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #10: start_thread [0x7fc3071b96db]
2019-11-23T09:27:52.260552Z     warn    Epoch 0 terminated with an error: signal: aborted
2019-11-23T09:27:52.260574Z     warn    Aborted all epochs
2019-11-23T09:27:52.260729Z     info    Epoch 0: set retry delay to 200ms, budget to 9

If I use the upstream image for the proxy all is well (but it looks like all processes in that run as root) or setting a securityContext for the container with runAsUser: 0 also resolves.

I am using the envoy binary from the upstream deb (I had previously been building envoy form source - but same issue).

The target container was originally scratch bit to zone in on the problem I have switched to distrolesscc.
Same experience with both. The other envoys (sidecars to control plane pilot, mixer etc) do not show this issue.

Here’s my docker file:

ARG ISTIO_VERSION
FROM myartifactory.com/dev/istio-package/istiobuilder:${ISTIO_VERSION} as builder


USER root

ENV PROXY_BUILD=/home/build/proxybuild
ENV ARTIFACTS_LOG=/home/build/artifacts.txt
ENV PROXY_FOLDER=istio-proxy


RUN mkdir -p ${PROXY_BUILD}/etc/istio/proxy && \
    mkdir -p ${PROXY_BUILD}/var/log && \
    mkdir -p ${PROXY_BUILD}/var/run/sds && \
    echo "root:x:0:0:root:/root:/sbin/nologin" > ${PROXY_BUILD}/etc/passwd && \
    echo "nobody:x:65534:65534:nobody:/nonexistent:/sbin/nologin" >> ${PROXY_BUILD}/etc/passwd && \
    echo "nonroot:x:65532:65532:nonroot:/home/nonroot:/sbin/nologin" >> ${PROXY_BUILD}/etc/passwd && \
    echo "istio-user:10001:10001:istio-user:/var/lib/istio" >>${PROXY_BUILD}/etc/passwd && \
    tar -zxf /home/build/go/src/istio.io/istio/docker/ca-certificates.tgz -C ${PROXY_BUILD} && \
    chmod 644 ${PROXY_BUILD}/etc/ssl/certs/ca-certificates.crt && \
    cp ${GOPATH}/src/istio.io/istio/pilot/docker/*.yaml.tmpl  ${PROXY_BUILD}/etc/istio/proxy && \
    tar -C ${PROXY_BUILD} -xzf /ca-certificates.tgz 
COPY envoy ${PROXY_BUILD}/envoy

FROM gcr.io/distroless/cc:latest
ARG proxy_version
ARG istio_version



ENV PROXY_BUILD=/home/build/proxybuild

COPY --from=builder --chown=10001:10001 /ca-certificates.tgz /ca-certificates.tgz
COPY --from=builder ${PROXY_BUILD}/etc/passwd /etc/passwd
COPY --from=builder ${PROXY_BUILD}/etc/ssl /etc/ssl
COPY --from=builder --chown=10001:10001 ${PROXY_BUILD}/etc/istio /etc/istio
COPY --from=builder /home/build/go/out/linux_amd64/release/pilot-agent /usr/local/bin/pilot-agent
COPY --from=builder ${PROXY_BUILD}/envoy /usr/local/bin/envoy
COPY --from=builder /home/build/go/src/istio.io/istio/tools/packaging/common/istio-iptables.sh /usr/local/bin/istio-iptables.sh

COPY --from=builder --chown=10001:10001 ${PROXY_BUILD}/var/log /var/log
COPY --from=builder --chown=10001:10001 ${PROXY_BUILD}/var/run /var/run

COPY --from=builder --chown=10001:10001 /home/build/go/src/istio.io/istio/tools/packaging/common/envoy_bootstrap_drain.json /var/lib/istio/envoy/envoy_bootstrap_drain.json
COPY --from=builder --chown=10001:10001 /home/build/go/src/istio.io/istio/tools/packaging/common/envoy_bootstrap_v2.json /var/lib/istio/envoy/envoy_bootstrap_tmpl.json
COPY --from=builder --chown=10001:10001 /home/build/go/src/istio.io/istio/tools/packaging/common/sidecar.env /var/lib/istio/envoy/sidecar.env
COPY --from=builder --chown=10001:10001 /home/build/go/src/istio.io/istio/pilot/docker/envoy_pilot.yaml.tmpl /etc/istio/proxy/envoy_pilot.yaml.tmpl
COPY --from=builder --chown=10001:10001 /home/build/go/src/istio.io/istio/pilot/docker/envoy_telemetry.yaml.tmpl /etc/istio/proxy/envoy_telemetry.yaml.tmpl
COPY --from=builder --chown=10001:10001 /home/build/go/src/istio.io/istio/pilot/docker/envoy_policy.yaml.tmpl /etc/istio/proxy/envoy_policy.yaml.tmpl

USER istio-user

ENTRYPOINT ["/usr/local/bin/pilot-agent"]

I don’t want to run as user 0 especially on the ingressgateway