Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-2324

Gateway injection does not work when pods are created by cluster admins

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • OSSM 2.3.1
    • OSSM 2.3.0
    • Maistra
    • None
    • Sprint 61

      Gateway injection does not work if ENABLE_LEGACY_FSGROUP_INJECTION is not set to false. Istiod logs the following error:

      error Pod injection failed: failed to run injection template: failed parsing generated injected YAML (check Istio sidecar injector configuration): unmarshal patched pod: json: cannot unmarshal string into Go struct field PodSecurityContext.spec.securityContext.fsGroup of type int64

      How to reproduce:
      1. Deploy a simple SMCP:

      mesh.yaml
      apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
  name: basic
  namespace: istio-system
spec:
  version: v2.3
  tracing:
    type: None
---
apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
  name: default
  namespace: istio-system
spec:
  members:
  - istio-ingress

      2. Deploy a gateway following our documentation

      Workaround:
      When ENABLE_LEGACY_FSGROUP_INJECTION is set to false in the SMCP config, injection works without error.

      mesh.yaml
      apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
  name: basic
  namespace: istio-system
spec:
  version: v2.3
  runtime:
    components:
      pilot:
        container:
          env:
            ENABLE_LEGACY_FSGROUP_INJECTION: "false"
  tracing:
    type: None

      Hints:
      1. Marko figured out that ProxyGID used to set securityContext.fsGroup in the gateway injection template is incorrectly set in the implementation here. This is the PR.
      2. Default value of ENABLE_LEGACY_FSGROUP_INJECTION set in pilot is not effectively used. It's default value should be false, because global.jwtPolicy is "third-party-jwt", but unless it's not set to false explicitly in the SMCP, pilot behaves as it was true.
      3. Sidecar injection template has the same condition to set securityContext.fsGroup, but it does not fail. Why?

      Explanation:
      That's because when a developer creates a pod (directly or via a deployment), OpenShift automatically assigns the runAsUser id, which the sidecar injector then uses to set ProxyGID, but since cluster-admins can create pods with any runAsUser, OpenShift does not assign it... leaving securityContext empty, which breaks the sidecar injector.

        1. istiod-basic-5845f558b9-jn4ch-discovery.log
          42 kB
        2. servicemeshcontrolplane-basic (2).yaml
          41 kB

              mluksa@redhat.com Marko Luksa
              jewertow@redhat.com Jacek Ewertowski
              Prachi Yadav
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: