gardener icon indicating copy to clipboard operation
gardener copied to clipboard

Published 20 hours ago verified publisher icon gardener

Update envoy proxy to v1.23.0.

Open ScheererJ opened this issue 2 years ago • 3 comments

How to categorize this PR?

/area networking /kind enhancement

What this PR does / why we need it: Update envoy proxy to v1.23.0.

The new envoy proxy release is a bit more strict concerning the typing of its configuration. Therefore, the config types have to be stated now explicitly. As the envoy proxy distroless container image supports arm now, the container image was also switched to reduce the attack surface. However, it is running as non-root user, which required subsequent changes as well for vpn-seed-server and apiserver-proxy. As the switch to a non-root user showed that the capability NET_BIND_SERVICE was not required by vpn-seed-server, all capabilities were removed from the envoy proxy in vpn-seed-server.

Which issue(s) this PR fixes: Fixes #6127.

Special notes for your reviewer:

Release note:

Update envoy proxy to v1.23.0.

/cc @DockToFuture @acumino

ScheererJ avatar Jul 20 '22 13:07 ScheererJ

/assign @acumino

rfranzke avatar Jul 26 '22 07:07 rfranzke

I converted this to "draft" state until the issues are fixed/addressed.

rfranzke avatar Jul 26 '22 11:07 rfranzke

@acumino @ScheererJ what's the status on this PR?

timebertt avatar Aug 16 '22 05:08 timebertt

@acumino @ScheererJ what's the status on this PR?

We are waiting for the v1.23.1 release of github.com/envoyproxy/envoy - see https://github.com/gardener/gardener/pull/6366#discussion_r925808266.

ialidzhikov avatar Aug 16 '22 05:08 ialidzhikov

@acumino: GitHub didn't allow me to request PR reviews from the following users: ScheererJ.

Note that only gardener members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @ScheererJ

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

gardener-prow[bot] avatar Aug 29 '22 06:08 gardener-prow[bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DockToFuture, timebertt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

gardener-prow[bot] avatar Aug 29 '22 09:08 gardener-prow[bot]