Skip to content

fix: set security context for init intercept #3803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Feb 23, 2025
Merged

fix: set security context for init intercept #3803

merged 3 commits into from
Feb 23, 2025

Conversation

smehboub
Copy link
Contributor

@smehboub smehboub commented Feb 21, 2025
edited
Loading

Fixes: #3804

@smehboub smehboub mentioned this pull request Feb 21, 2025
Closed
@smehboub smehboub force-pushed the fix/podSecurityContext-for-init-intercept branch from 3334576 to 816a87b Compare February 21, 2025 08:08
@smehboub smehboub changed the title fix: podSecurityContext for init intercept fix: set security context for init intercept Feb 21, 2025
@smehboub smehboub force-pushed the fix/podSecurityContext-for-init-intercept branch from 816a87b to 140425b Compare February 21, 2025 08:31
@thallgren
Copy link
Member

I suspect that this might be a breaking change. I would prefer to see an option to inject the securityContext as a whole from the helm-chart, similar to how we handle the resources for the init-container. We already have this in the chart's values.yaml:

agent:
  logLevel:
  resources: { }
  initResources: { }

Adding a

  initSecurityContext: {}

here, inject its JSON as an environment variable unless empty in the deployment.yaml, and then add the logic needed to use that environment variable, would make the securityContext fully configurable.

@smehboub smehboub force-pushed the fix/podSecurityContext-for-init-intercept branch 2 times, most recently from 68b2fe7 to 62c0073 Compare February 22, 2025 01:20
@smehboub smehboub force-pushed the fix/podSecurityContext-for-init-intercept branch 12 times, most recently from a3bac92 to 7a92810 Compare February 22, 2025 03:43
@smehboub smehboub force-pushed the fix/podSecurityContext-for-init-intercept branch from 7a92810 to 1b088e0 Compare February 22, 2025 03:46
thallgren
thallgren requested changes Feb 23, 2025
View reviewed changes
Copy link
Member

@thallgren thallgren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks promising, but it removes the default securityContext with the NET_ADMIN capability. That's still a breaking change. The default must remain.

@smehboub smehboub force-pushed the fix/podSecurityContext-for-init-intercept branch from c49fba9 to 6e7fa64 Compare February 23, 2025 14:14
@smehboub
Copy link
Contributor Author

Looks promising, but it removes the default securityContext with the NET_ADMIN capability. That's still a breaking change. The default must remain.

Hello @thallgren
Thank you very very much for the review.

@smehboub smehboub requested a review from thallgren February 23, 2025 14:25
@thallgren thallgren added the ok to test Applied by maintainers when a PR is ready to have tests run on it label Feb 23, 2025
@github-actions github-actions bot removed the ok to test Applied by maintainers when a PR is ready to have tests run on it label Feb 23, 2025
thallgren
thallgren approved these changes Feb 23, 2025
View reviewed changes
Copy link
Member

@thallgren thallgren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great. Thanks for providing this!

@thallgren thallgren merged commit 1b67352 into telepresenceio:release/v2 Feb 23, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thallgren thallgren thallgren approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

backoff restarting of the agent-init when PodSecurityContext is set
2 participants
@smehboub @thallgren