gloo
gloo copied to clipboard
solo-io
extauth securityContext override like on gloo or gateway-proxy pods
Version
1.14.x (latest stable)
Is your feature request related to a problem? Please describe.
I cannot override securityContext of the container unless I use kubeResourceOverride and for that I need to override the whole container definition.
Describe the solution you'd like
I would like to have a solution like you implemented for gloo or gateway-proxy pods where I could do:
gloo-ee: gloo: gloo: deployment: glooContainerSecurityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 10101 capabilities: drop: - ALL seccompProfile: type: RuntimeDefault
Describe alternatives you've considered
No response
Additional Context
No response
The override with kubeResourceOverride is a workaround, but a very ugly one because it requires to override the whole extauth definition due to https://github.com/solo-io/gloo/issues/5841 (e.g. single properties don't get merged in lists, but the whole list is overwritten).
This means that single properties define like this:
global:
extensions:
extAuth:
deployment:
replicas: 2
resources:
limits:
memory: 512Mi
cpu: 1
requests:
memory: 100Mi
cpu: 200m
floatingUserId: true
extraExtAuthLabels:
app: gloo
don't take effect anymore, so we have to copy/paste the whole section for each customer like this:
global:
extensions:
extAuth:
kubeResourceOverride:
spec:
template:
spec:
containers:
# the whole container section has to be copy/pasted due to the mentioned issue
- image: ...
resources:
limits:
cpu: '1'
memory: 512Mi
requests:
cpu: 200m
memory: 100Mi
imagePullPolicy: IfNotPresent
name: extauth
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SERVICE_NAME
value: "ext-auth"
- name: GLOO_ADDRESS
value: gloo:9977
- name: SIGNING_KEY
valueFrom:
secretKeyRef:
name: extauth-signing-key
key: signing-key
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: redis
key: redis-password
- name: SERVER_PORT
value: "8083"
- name: USER_ID_HEADER
value: "x-user-id"
- name: START_STATS_SERVER
value: "true"
- name: HEALTH_HTTP_PORT
value: "8082"
- name: HEALTH_HTTP_PATH
value: "/healthcheck"
- name: ALIVE_HTTP_PATH
value: "/alivecheck"
readinessProbe:
httpGet:
port: 8082
path: "/healthcheck"
initialDelaySeconds: 2
periodSeconds: 5
failureThreshold: 2
successThreshold: 1
securityContext:
runAsNonRoot: true
runAsUser: 10101
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
gloo: gateway-proxy
topologyKey: kubernetes.io/hostname
imagePullSecrets:
- name: artifactory
Because we have quite some customers we need to ask each what values they use, then render it for them and tell them what to put in there which is a lot of support effort for us for a simple feature that should be standard.
So, yes there is a workaround but not a maintainable one.
Hi, our customer is also asking to provide these values, not only for extauth deployment, but also for observability
We would also need a possibility to set those properties for all gloo deployment resources and their containers. This is necessary for properly enabling pod security standards for the whole gloo deployment.
Decided we need to have this for all our Gloo Edge deployments. Updated ticket title and scope.
Duplicate of https://github.com/solo-io/gloo/issues/8864. Closing this one.