calico
calico copied to clipboard
projectcalico
calico-kube-controllers: Run as non-root by default for the armv7, ppc64le and s390x images
Description
This PR adapts the armv7, ppc64le and s390x images of calico-kube-controllers to run as non-root by default. Similar to https://github.com/projectcalico/kube-controllers/pull/565 and https://github.com/projectcalico/calico/pull/6346 (the changes that adapted the amd64 and arm64 images to run as non-root).
Related issues/PRs
Not applicable
Todos
- [ ] Tests
- [ ] Documentation
- [x] Release note
Release Note
The armv7, ppc64le and s390x images of calico-kube-controllers now runs as non-root by default (similar to the amd64 and arm64 imagaes).
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one docs-* label.
-
docs-pr-required: This change requires a change to the documentation that has not been completed yet. -
docs-completed: This change has all necessary documentation completed. -
docs-not-required: This change has no user-facing impact and requires no docs.
Every PR needs one release-note-* label.
-
release-note-required: This PR has user-facing changes. Most PRs should have this label. -
release-note-not-required: This PR has no user-facing changes.
Other optional labels:
-
cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only. -
needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.
go build github.com/projectcalico/calico/libcalico-go/lib/net: mkdir /tmp/go-build357731998/b238/: no space left on device
github.com/gogo/protobuf/protoc-gen-gogo/descriptor
go build github.com/gogo/protobuf/protoc-gen-gogo/descriptor: mkdir /tmp/go-build357731998/b244/: no space left on device
google.golang.org/protobuf/internal/detrand
go build google.golang.org/protobuf/internal/detrand: mkdir /tmp/go-build357731998/b249/: no space left on device
google.golang.org/protobuf/internal/pragma
go build google.golang.org/protobuf/internal/pragma: mkdir /tmp/go-build357731998/b253/: no space left on device
Looks like we're running out of disk space now due to needing multitple copies of the qemu image.
We probably need to update semaphore.yml.tpl to match what calico/node does:
- Main build only builds amd64.
- have separate build steps for other architectures.
And then run make generate
@caseydavenport how we proceed with this PR? Is there anything that I have to fix in the PR? The things you explained in https://github.com/projectcalico/calico/pull/6749#issuecomment-1261212837 look like CI/CD issues. Are these issues a blocker?
@ialidzhikov yeah, we can't merge this until the CI is passing.
My previous comment suggested how to modify this PR to hopefully get the tests passing. You'll need to make a minor change to .semaphore/semaphore.yml.tpl and then run make gen-semaphore-yaml.
I'd recommend using calico/node's CI configuration as an example, specifically these lines: https://github.com/projectcalico/calico/blob/master/.semaphore/semaphore.yml.tpl#L468-L473
Will want to be copied to this section: https://github.com/projectcalico/calico/blob/master/.semaphore/semaphore.yml.tpl#L508-L510
And then change the Makefile here: https://github.com/projectcalico/calico/blob/master/kube-controllers/Makefile#L141
So that ci just runs image and not image-all
Oof, a lot of time has passed on this one. @ialidzhikov not sure if you're still interested in progressing this - I think it's still relevant though if you are. Otherwise I'll close.
@caseydavenport We have unified Dockerfiles into one in https://github.com/projectcalico/calico/pull/8299 so all non-amd64 images also receive the non-root changes. I believe this PR can be closed.
