Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: OSSM 2.3.1
Affects Version/s: OSSM 2.3.0
Component/s: Maistra
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
Git Pull Request:
https://github.com/maistra/istio/pull/701

Sprint:
Sprint 61

SFDC Cases Links:
SFDC Cases Counter:

Description

Gateway injection does not work if ENABLE_LEGACY_FSGROUP_INJECTION is not set to false. Istiod logs the following error:

error Pod injection failed: failed to run injection template: failed parsing generated injected YAML (check Istio sidecar injector configuration): unmarshal patched pod: json: cannot unmarshal string into Go struct field PodSecurityContext.spec.securityContext.fsGroup of type int64

How to reproduce:
1. Deploy a simple SMCP:

mesh.yaml

apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
  name: basic
  namespace: istio-system
spec:
  version: v2.3
  tracing:
    type: None
---
apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
  name: default
  namespace: istio-system
spec:
  members:
  - istio-ingress

2. Deploy a gateway following our documentation.

Workaround:
When ENABLE_LEGACY_FSGROUP_INJECTION is set to false in the SMCP config, injection works without error.

mesh.yaml

apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
  name: basic
  namespace: istio-system
spec:
  version: v2.3
  runtime:
    components:
      pilot:
        container:
          env:
            ENABLE_LEGACY_FSGROUP_INJECTION: "false"
  tracing:
    type: None

Hints:
1. Marko figured out that ProxyGID used to set securityContext.fsGroup in the gateway injection template is incorrectly set in the implementation here. This is the PR.
2. Default value of ENABLE_LEGACY_FSGROUP_INJECTION set in pilot is not effectively used. It's default value should be false, because global.jwtPolicy is "third-party-jwt", but unless it's not set to false explicitly in the SMCP, pilot behaves as it was true.
3. Sidecar injection template has the same condition to set securityContext.fsGroup, but it does not fail. Why?

Explanation:
That's because when a developer creates a pod (directly or via a deployment), OpenShift automatically assigns the runAsUser id, which the sidecar injector then uses to set ProxyGID, but since cluster-admins can create pods with any runAsUser, OpenShift does not assign it... leaving securityContext empty, which breaks the sidecar injector.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

istiod-basic-5845f558b9-jn4ch-discovery.log
42 kB
2023/01/11 5:56 PM
servicemeshcontrolplane-basic (2).yaml
41 kB
2023/01/11 5:55 PM

Issue Links

mentioned on

Merge request - Updated US source to: e948f08 Remove redundant loop

Activity

People

Assignee:: Marko Luksa

Reporter:: Jacek Ewertowski

Contributors:: Prachi Yadav

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2022/12/02 1:54 PM

Updated:: 2023/01/13 1:13 PM

Resolved:: 2023/01/11 5:59 PM