contour-operator icon indicating copy to clipboard operation
contour-operator copied to clipboard
verified publisher icon projectcontour

Configurable Security Context

Open danehans opened this issue 5 years ago • 1 comments

Please describe the problem you have Contour and the certgen job do not run on OpenShift using the default security context:

securityContext:
  runAsNonRoot: true
  runAsUser: 65534
  runAsGroup: 65534

Failure status condition of deploy/contour:

  - lastTransitionTime: "2020-11-13T21:44:15Z"
    lastUpdateTime: "2020-11-13T21:44:15Z"
    message: 'pods "contour-5475898957-" is forbidden: unable to validate against
      any security context constraint: [spec.containers[0].securityContext.runAsUser:
      Invalid value: 65534: must be in the ranges: [1000590000, 1000599999]]'
    reason: FailedCreate
    status: "True"
    type: ReplicaFailure

Either make securityContext configurable or introduce provider-specific extensions to Contour so this can be configured automatically.

/cc @jpeach @Miciah

danehans avatar Nov 13 '20 22:11 danehans

I think in this case, that the securityContext of the Contour and Envoy pods should be configurable, maybe just with a single "userID" or similar setting.

youngnick avatar Mar 04 '21 03:03 youngnick