Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Correct security context to use nonroot user #5819

Merged
merged 1 commit into from
Mar 11, 2024
Merged

chore: Correct security context to use nonroot user #5819

merged 1 commit into from
Mar 11, 2024

Conversation

jonathan-innis
Copy link
Contributor

Fixes #N/A

Description

This change corrects the runAsUser and runAsGroup to run using the nonroot user. This was previously mapping to another non-root, random user, but wasn't within the valid set of UIDs on older linux kernels (65535). Additionally, distroless and scratch images use a standard "nonroot" user (65532) by default and give permission to certain filepaths on the image. Karpenter uses the public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base image by default, which assigns file permission to user 65532

How was this change tested?

Does this change impact docs?

  • Yes, PR includes docs updates
  • Yes, issue opened: #
  • No

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@jonathan-innis jonathan-innis requested a review from a team as a code owner March 10, 2024 22:39
@jonathan-innis jonathan-innis requested a review from njtran March 10, 2024 22:39
jonathan-innis
jonathan-innis commented Mar 10, 2024
View reviewed changes
Copy link
Contributor Author

@jonathan-innis jonathan-innis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/karpenter snapshot

@netlify Netlify
Copy link

netlify bot commented Mar 10, 2024
edited
Loading

Deploy Preview for karpenter-docs-prod canceled.

Name Link
🔨 Latest commit b205cd9
🔍 Latest deploy log https://app.netlify.com/sites/karpenter-docs-prod/deploys/65ee36b4af3359000820daae

@coveralls
Copy link

Pull Request Test Coverage Report for Build 8225265076

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 2 unchanged lines in 1 file lost coverage.
  • Overall coverage decreased (-0.02%) to 82.743%
Files with Coverage Reduction New Missed Lines %
pkg/fake/utils.go 2 94.56%
Totals Coverage Status
Change from base Build 8218002295: -0.02%
Covered Lines: 5303
Relevant Lines: 6409
💛 - Coveralls

@jonathan-innis jonathan-innis enabled auto-merge (squash) March 10, 2024 22:43
@github-actions GitHub Actions
Copy link
Contributor

Snapshot successfully published to oci://021119463062.dkr.ecr.us-east-1.amazonaws.com/karpenter/snapshot/karpenter:0-b205cd9e59634041d49293fcc120a377379b2edd.
To install you must login to the ECR repo with an AWS account:

aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 021119463062.dkr.ecr.us-east-1.amazonaws.com

helm upgrade --install karpenter oci://021119463062.dkr.ecr.us-east-1.amazonaws.com/karpenter/snapshot/karpenter --version "0-b205cd9e59634041d49293fcc120a377379b2edd" --namespace "kube-system" --create-namespace \
  --set "settings.clusterName=${CLUSTER_NAME}" \
  --set "settings.interruptionQueue=${CLUSTER_NAME}" \
  --set controller.resources.requests.cpu=1 \
  --set controller.resources.requests.memory=1Gi \
  --set controller.resources.limits.cpu=1 \
  --set controller.resources.limits.memory=1Gi \
  --wait

engedaam
engedaam approved these changes Mar 11, 2024
View reviewed changes
Copy link
Contributor

@engedaam engedaam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@jonathan-innis jonathan-innis merged commit 9ac7285 into aws:main Mar 11, 2024
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@engedaam engedaam engedaam approved these changes

@njtran njtran Awaiting requested review from njtran njtran is a code owner automatically assigned from aws/karpenter

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jonathan-innis @coveralls @engedaam