-
Notifications
You must be signed in to change notification settings - Fork 7.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include all securityContext fields in injection template #17318
Comments
Do we have a maintenance problem? Will we need to keep changing Istio as the PSP admission controller has new fields? Would it be better to figure out a way to invert the PSP admission controller and the Istio sidecar injector webhook? Maybe this is a problem with PSP validation and we should discuss with that project? |
Adding all fields in the
This problem only exists when a webhook injects new containers into the pod spec, which is rather specific to Istio. |
What is the status on those? |
It's WIP in #17427. |
* Add all securityContext fields in injected containers Fixes #17318 * Update injection unit tests
…19832) * Add all securityContext fields in injected containers Fixes #17318 * Update injection unit tests Co-authored-by: Romain Lenglet <[email protected]>
@rlenglet one of our customers is asking this feature to be supported by istioctl and cherry picked in 1.4 release. Can we do that? |
The installer was patched in time for 1.4.3, but the operator was not updated for that release for some reason. |
@rlenglet that's a shame! Is that because of the way that istio/operator, istio/installer and istio/istio were related for 1.4.x releases? (I see that installer & operator have both been subsumed into the main istio repo now.) |
Yes, commit SHAs have to be explicitly picked up in each release branch. Istio 1.5 won't have that problem. But we still have to update SHAs manually in |
Fixing this with #20286. This will make it into Istio 1.4.4. |
…stio#19832) * Add all securityContext fields in injected containers Fixes istio#17318 * Update injection unit tests Co-authored-by: Romain Lenglet <[email protected]>
…stio#19832) * Add all securityContext fields in injected containers Fixes istio#17318 * Update injection unit tests Co-authored-by: Romain Lenglet <[email protected]>
Bug description
Istio's sidecar injection webhook rewrites the pod spec to inject the Istio containers, after the pod spec has been rewritten by the PodSecurityPolicy admission controller to match the applied PSP, but also before the PSP validation (see #12231 for more details). In the case the spec injected by Istio would need to be mutated by the PSP admission controller, esp. if the Istio container specs are missing some fields in their
securityContext
which would be injected by the PSP admission controller, the PSP validation would reject the resulting pod spec, and the pods couldn't be created. In the case of aDeployment
, theReplicaSet
description would show an error like:This problem concerns only automatic sidecar injection. Manual injection doesn't have this problem, because in this case the
istioctl kube-inject
is executed before the deployment is created, and therefore before the PSP admission controller mutates the pod spec.To observe the mutations done by the PSP admission controller (and other controllers):
Deployment
.Deployment
manually withistioctl kube-inject
and create it.Deployment
and the createdPod
.For instance for an injected
istio-proxy
container, the diff may look like:The relevant mutations are in the
securityContext
of the injected containers, and some annotations:What annotations and fields are injected depends on which PSP the PSP admission controller matched with the pod spec.
Both the security annotations and the fields in
securityContext
need to be injected by Istio's injection webhook in order for the resulting pod spec to pass PSP validation.This issue tracks updating Istio's default injection template to include all the
securityContext
fields in injected containers, even if to set them to default values, so that the PSP admission controller wouldn't need to add / mutate them.Injecting custom annotations is tracked in #17331.
Affected product area (please put an X in all that apply)
[x] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Version (include the output of
istioctl version --remote
andkubectl version
)All Istio versions.
Environment where bug was observed (cloud vendor, OS, etc)
Any cluster with pod security policy enabled.
The text was updated successfully, but these errors were encountered: