Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-8001

Fix setting overlapping GID

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • OSSM 2.4.11, OSSM 2.5.5, OSSM 2.6.2
    • OSSM 2.4.9, OSSM 2.5.3, OSSM 2.6.0
    • Maistra
    • None
    • False
    • None
    • False
    • Hide
      Previously, injection in pods having explicitly set `runAsUser` and `runAsGroup` to the same value caused setting proxy GID equal to the existing container's GID and that has led to broken traffic interception by iptables rules applied by Istio CNI. Now, containers can have the same value set in fields `runAsUser` and `runAsGroup`, and iptables rules will be applied correctly.

      -----
      Proxy injection in pods having `runAsUser` and `runAsGroup` set has been fixed.
      Show
      Previously, injection in pods having explicitly set `runAsUser` and `runAsGroup` to the same value caused setting proxy GID equal to the existing container's GID and that has led to broken traffic interception by iptables rules applied by Istio CNI. Now, containers can have the same value set in fields `runAsUser` and `runAsGroup`, and iptables rules will be applied correctly. ----- Proxy injection in pods having `runAsUser` and `runAsGroup` set has been fixed.

      Current implementation of the injection webhook does not ensure that proxy GID is unique within a pod, so in some cases, e.g. in privileged pods with UID,GID=0 we set overlapping GID for proxy and it results in broken iptables rule "no-redirect" that utilizes `--gid-owner` option and that breaks traffic interception.

      More details can be found in the description of this PR: https://github.com/maistra/istio/pull/1057.

              jewertow@redhat.com Jacek Ewertowski
              jewertow@redhat.com Jacek Ewertowski
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: