-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pns executor w/ security context not working with vault injector #6030
Comments
…goproj#6030 Signed-off-by: Alex Collins <alex_collins@intuit.com>
@rwong2888 I've create a fix for you problem. Could I ask you to test it? You'll need to use |
Looks improved, but unable to kill
|
OK. So we need to do more. Not only does the I've just pushed changes that logs out more diagnostics (group/user ID/group ID). Could you please run it? @jessesuen any thoughts on this? |
Waiting for new image to build. In the meantime, if anyone needs to follow along. Added executor to pull always to workflow-controller-configmap
Added dev-root image to workflow-controller deployment.
|
|
I'm not sure this is fixable, the injected sidecar will be running with another user ID presumably? Can you confirm? |
I exec'd into the vault sidecar and see this.
I think I can change the user with an annotation: |
I was able to progress further with below set up. But it is now failing on output results.
Side note: run-as-same-user yields below.
|
This looks like the vault webhook is preventing creating of the workflow pod? |
The side note is just informative.
|
wait container logs? |
I reverted the executor back to v3.1.0-rc8 and it is passing the previous error. It is now failing on kaniko step. Kaniko needs to run as root, but is not overriding the workflow defaults.
|
Can I ask you to try using the Emissary executor? We need to make a value call on this, and it might not be possible or easy to get this working with PNS, and if Emissary works for you, I don't really see that we need to fix PNS. You'll need to be running v3.1. |
Emissary is not killing the vault sidecar and not able to pass the first step in the workflow.
|
I should mention you must run v3.1 controller with the emissary. Unlike other executors, the controller kills the side car. Can you check the controller logs? |
Can you confirm which version of the |
Yes, I see ash |
the |
when you ran |
I was killing within the container... From outside.
|
…6030 Signed-off-by: Alex Collins <alex_collins@intuit.com>
@rwong2888 I've created a dev build for you to test |
Do you think you'd please be able to test it? |
…6030 Signed-off-by: Alex Collins <alex_collins@intuit.com>
Signed-off-by: Alex Collins <alex_collins@intuit.com>
It did not kill the vault-agent. Logs below.
|
I am also not able to run kaniko as root
|
@rwong2888 what version are you running please? |
argo: v3.1.0-rc10
|
I'm using vault injector with pns executor. It works fine until I add security context to not run as root. Vault sidecar container not getting killed. Details below.
The text was updated successfully, but these errors were encountered: