Skip to content

fix: set security context for init intercept #3803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation

smehboub
Copy link
Contributor

@smehboub smehboub commented Feb 21, 2025

Fixes: #3804

@smehboub smehboub force-pushed the fix/podSecurityContext-for-init-intercept branch from 3334576 to 816a87b Compare February 21, 2025 08:08
@smehboub smehboub changed the title fix: podSecurityContext for init intercept fix: set security context for init intercept Feb 21, 2025
@smehboub smehboub force-pushed the fix/podSecurityContext-for-init-intercept branch from 816a87b to 140425b Compare February 21, 2025 08:31
@thallgren
Copy link
Member

I suspect that this might be a breaking change. I would prefer to see an option to inject the securityContext as a whole from the helm-chart, similar to how we handle the resources for the init-container. We already have this in the chart's values.yaml:

agent:
  logLevel:
  resources: { }
  initResources: { }

Adding a

  initSecurityContext: {}

here, inject its JSON as an environment variable unless empty in the deployment.yaml, and then add the logic needed to use that environment variable, would make the securityContext fully configurable.

@smehboub smehboub force-pushed the fix/podSecurityContext-for-init-intercept branch 2 times, most recently from 68b2fe7 to 62c0073 Compare February 22, 2025 01:20
@smehboub smehboub force-pushed the fix/podSecurityContext-for-init-intercept branch 12 times, most recently from a3bac92 to 7a92810 Compare February 22, 2025 03:43
@smehboub smehboub force-pushed the fix/podSecurityContext-for-init-intercept branch from 7a92810 to 1b088e0 Compare February 22, 2025 03:46
Copy link
Member

@thallgren thallgren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks promising, but it removes the default securityContext with the NET_ADMIN capability. That's still a breaking change. The default must remain.

@smehboub smehboub force-pushed the fix/podSecurityContext-for-init-intercept branch from c49fba9 to 6e7fa64 Compare February 23, 2025 14:14
@smehboub
Copy link
Contributor Author

Looks promising, but it removes the default securityContext with the NET_ADMIN capability. That's still a breaking change. The default must remain.

Hello @thallgren
Thank you very very much for the review.

@smehboub smehboub requested a review from thallgren February 23, 2025 14:25
@thallgren thallgren added the ok to test Applied by maintainers when a PR is ready to have tests run on it label Feb 23, 2025
@github-actions github-actions bot removed the ok to test Applied by maintainers when a PR is ready to have tests run on it label Feb 23, 2025
Copy link
Member

@thallgren thallgren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great. Thanks for providing this!

@thallgren thallgren merged commit 1b67352 into telepresenceio:release/v2 Feb 23, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

backoff restarting of the agent-init when PodSecurityContext is set
2 participants